Slashdot Mirror
Firesheep Author Reflects On Wild Week
alphadogg writes "Firesheep, the Mozilla Firefox add-on released about a week ago that lets you spot users on open networks visiting unsecured websites, has given creator Eric Butler more than his 15 minutes of fame. More than 542,000 downloads later, Firesheep has thrown Butler into the middle of heated discussions regarding everything from the ethics of releasing the code to the legality of using it to the need for website vendors to clean up their security acts. Butler, who describes himself as a freelance Web application and software developer, reflects on the past week's happenings in a new blog post that reads in part: 'I've received hundreds of messages from people who are extremely happy that the issue of website security is receiving attention. Some, however, have questioned if Firesheep is legal to use. I'd like to be clear about this: It is nobody's business telling you what software you can or cannot run on your own computer. Like any tool, Firesheep can be used for many things. In addition to raising awareness, it has already proven very useful for people who want to test their own security as well as the security of their (consenting) friends. A much more appropriate question is: "Is it legal to access someone else's accounts without their permission."'"
...it amounts to "Here's a loaded gun. Now, if you decide to shoot someone with it, that's your business.
Living With a Nerd
"Is it legal to access someone else's accounts without their permission."
No.
Firesheep is as legal as nmap in case anyone wondered.
Correct. And gun shops do that all day every day, all over the country.
The CB App. What's your 20?
Actually, now that I'm thinking about it, I'm not so sure that works...
Living With a Nerd
Nah, It's more like saying "here's a fueled up truck, if you can find anyone who leaves their doors unlocked, and decide to take all their stuff, well that's your business."
He's probably wondering how much money he'd have made if he'd charged for it.
Why is there a big discussion about session hijacking now? Hasn't this sort of thing been around for years? Granted in the past an attacker would be using something like Wireshark and some other fancy networking tools to nab your cookie rather than a Firefox addon that even the lowliest of script kiddies can run.
At least in Germany, you can only legally use Firesheep if all "victims" have agreed to have their data intercepted. Use this on the wrong person and you're going to end up in deep deep trouble.
You could say the same thing regarding just about any tool.
"Here's a Silver Hammer, Max. Now, if you decide to hit someone with it, that's you're business."
"I use a Mac because I'm just better than you are."
Well, exactly. Plenty of people use loaded guns to shoot ducks, bullseyes, deer, clay pigeons, etc. Loaded guns aren't necessarily about murder of humans.
An IT admin might want to see if people in his/her company are running insecure activity on company computers. For example.
...it amounts to "Here's a loaded gun. Now, if you decide to shoot someone with it, that's your business.
Well, that's exactly the NRA's argument, and it seems to work for them......
...it amounts to "Here's a loaded gun. Now, if you decide to shoot someone with it, that's your business.
or stop someone else from hurting or killing others. Yes, us big kids sometimes use sharp tools if the job calls for it.
Would you have it otherwise?
Its rather, here is a lock pick. Now if you use it break into someplace, without authorization, thats your business.
I doubt any of them sell pre-loaded guns. Guns and ammo, sure. Loaded guns? Not likely.
...after this and the whole Google fiasco, manufacturers will take a hint and make WPA encryption mandatory. You can't realistically expect users to know how to configure this stuff and it doesn't actually cost the company anything extra.
"A much more appropriate question is: "Is it legal to access someone else's accounts without their permission.""
No, that's not an appropriate question.
The answer is a clear-cut, resounding, "NO".
His add-on simply sniffs the open air for cookies from a list of sites that use http instead of https. Then you get a little "log in" button to take that cookie as your own.
While effective, it's trivial to do, and doesn't uncover any new exploits or weaknesses.
Firesheep is only intended for illegal purposes, thus Firesheep itself may be deemed illegal in many countries, or the use of it may be justifiably restricted to certain activities (such as penetration testing).
This wasn't an unpatched exploit that a big company took months to fix.
This wasn't some obscure vector that went unacknowledged for years.
This was a fucking design decision.
Sending credentials in the clear is retarded. This shit needs to stop, and if it takes an asshole like Eric Butler trolling Facebook and Twitter users at Starbucks to get it changed, so be it. Companies don't cater to the experts, they cater to the masses. The only way to get shit changed is to make the masses bitch.
What we can conclude from this fiasco is:
Butler is an asshat.
Many major sites don't give a shit about security.
Many major sites do give a shit about public perception.
In order to get things fixed, we need asshats like Butler pointing at the wide open door and shouting to the plebes, "LOOK WHAT I CAN DO!".
That would be more akin to breaking the wireless encryption and then doing the sniffing.
Mind if I use your Slashdot account?
Well you do have to install it and then run it.
Besides it's not like you can run firesheep without Firefox installed to begin with.
I'm sorry but networking and security are not my forte. Can someone describe what the problem is, what this add-on does and how to protect yourself or your website? All in clear terms and please refrain from using acronyms.
When was the last time you bought a gun? Every time I've bought a gun, after filling out the paper work and waiting for the instant background check to be approved (which is not instant by the way, you get to stand around feeling awkward for five minutes while the salesman gets to wait on hold after giving your information to whoever is on the other end of that phone) I've been given the gun, usually either locked in a case or locked with a trigger lock and immediately escorted out of the store.
Some places I went to won't even sell you ammo the same day! How annoying is that? I just want to go home and plink some pop cans with my new gun!
It is interesting. A common mantra of law enforcement is that "ignorance of the law is no excuse for illegal behavior."
So is ignorance of security technologies an excuse for publicly broadcasting your password to people around you?
There is nothing illegal about receiving and interpreting radio signals which are unencrypted. So if some schmoe is tying a password into a non-SSL page over a non-encrypted radio network, they are actually (though ignorantly) broadcasting their password right at you.
If you write your password on a wall inside a room that you think is private, it is illegal for me to look at it through a window?
It is more like saying "If someone is unknowingly using software with security holes, you are allowed to spy on them". Actually, it is exactly like saying that.
At least in my country we have laws regarding privacy and secrecy of correspondency. If the mailman accidentally brings me my neighbor's post, it is illegal for me to read them. Yes, it might be impossible to catch me but it would still be illegal and unethical. Similarly, I am not allowed to spy on communication someone intends to be private and personal, even if they're unknowingly using software with security holes. Nor should I be.
Some people argue that we shouldn't outlaw anything that we can't effectively monitor (IE: We shouldn't outlaw this because we couldn't catch most of the people doing this anyways). I understand their point but I respectfully disagree.
Haha
This is about public/paid wifi hotspot operators and the whole business model of offering open wifi.
I have yet to see any major hotspot provider that secures their access, although in theory it would be possible, most don't do it because noone feels unsafe yet.
Firesheep may change that.
Make sure everyone's vote counts: Verified Voting
I think a better analogy would involve spy cameras / x-ray vision.
But I don't see why analogies are needed. If he just wanted to draw attention to web security he would have made the tool delete the cookies. Clearly he wants to have an impact. CodeJoker, anyone?
This situation with web security is similar. People simply refuse to believe it is an issue.
There's a huge error in the article of course. I'm sure all Slashdot users will have picked it up, but I'll spell it out for the slower ones among you. Mr Butler is quoted as saying"It is nobody's business telling you what software you can or cannot run on your own computer." This is quite wrong. Its Steve Jobs' business what you run on your computer. Right, carry on.
And it's got Radar + GPS to unlocked doors :p
"Guns don't shoot people, Firefox shoots people!"
That seems to be the nature of the hyperbolic rhetoric in this sub-thread.
The fact is, this information is available to anybody sniffing traffic. If we were to restrict tool design, because it exposed shoddy application security and architecture? Then all we'd have is old, crappy tools. "Ban NMap and Nessus! Traceroute and Ping are enough to get your jobs done!"
Fuckbook needs to get their act together, as do the other egregious offenders. Remember: the Zuckerberg business model depends on the discreet sharing of this data, without the user's full cognisance or consent. At least you know what they are shipping to folks like Zynga...
"Flyin' in just a sweet place,
Never been known to fail..."
Enabling this type of crime (invasion of privacy) is just as criminal and even more morally/ethically suspect than the people who commit it. The users can at least excuse their trespass as curiosity or at worst a crime of opportunity, while Eric had the opportunity many times over to question the decision of creating and then releasing the tool. Hacking tools are one thing; this puts the keys into the hands of the everyman. Pretending that it is just an honest tool that 'might' be used inappropriately is a farce.
Karma is a fickle bitch, and she doesn't trade bullshit for redemption. I'm thinking it will only take one large company to get burned badly by this irresponsible choice to illustrate this to our young, self-righteous Eric.
If it were a mere hacking tool that required some technical proficiency, maybe ... in this case you are handing the loaded gun to a 10-year old with simple a-b-c instructions and a list of potential targets, and a promise that it will be very difficult if not impossible to prosecute them.
Try a car analogy. That might work better.
It's like there's a new car being sold and the bonnet (that's "hood" to you) is held on by an elastic band. You start selling knives and instructions for removing the "hoods". This is, of course, saving the lives of some of the people who drive those cars and many of the people behind them. Still, Ford is going to try to pin it on you and deny any responsibility for selling cars with the hood held on with elastic bands.
This is 100% solved with standard basic web security. The only reason it's not done is that Facebook & co want an extra few hundred dollars to go with the pile they already have. HTTPS should have been active from the beginning.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
Except for one minor difference: guns kill things.
No. It's more like "I've hidden some explosives in several of your neighbors' cars. Here's a remote detonator. If you press the button, there will be damage.
Now, if you decide to use it, that's none of my business. At least I encouraged the discussion of how to disarm explosives".
You are welcome on my lawn.
If some busybody tried to "escort" me out of a store for simply buying something, I'd tell them to reverse the whole transaction immediately. I've bought a few guns in my time, and ammo with them, and never have been treated like that, nor would I ever accept being treated like that.
I support the Slashcott and will not be reading or commenting from 2/10/14 to 2/17/14. Beta is steaming pile of dog shit
Well now I think you both aren't putting analogies to good use. In Pojut's case, it's not a matter of life or death so it seems drastically exagerated. In your case Zeek, you have understated that the tools Primary focus is to preform an act which without permission is considered illegal.
It's easiest NOT to analogize it - everyone here can understand what the tool does, and what its focus is. The tool is designed to give access to another person's web account via insecure wireless transmissions.
Using that to test your own security is like a lot like a white hat exposing vulnerabilities. The problem is that this vulnerability is public and made incredibly easy. Google accidentally (or so they claim) exploited this vulnerability, and are under a lot of flak for it.
So - to wrap this up with a good car analogy, since your guys' analogies have failed,
It's like giving someone a fueled up Google car capable of sniffing Wifi for usernames and passwords.
Almost every state has some kind of waiting period for handguns, unless you have a concealed carry permit valid in that state. Rifles and shotguns are pretty much universally buy-n-run though.
Ditto. They politely ask to keep the ammo in the box you bought it in (duh) and let me on my way. One time I bought a pistol and was allowed to walk to the other side of the store and pick up something else before I carried my newly purchased firearm to the front where I handed them the receipt showing I bought it and the ammo.
Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
No linux build?
Correct. And gun shops do that all day every day, all over the country.
Uhuh. And sporting goods stores sell baseball bats every day, too. If you decide to brain someone with it, that's your business.
What's your point?
If you can't convince them, convict them.
They let you have the pointy scissors? All I got were these rounded ones that don't cut well. :(
Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
Its rather, here is a lock pick. Now if you use it break into someplace, without authorization, thats your business.
Its more like:
Here is a butterfly net.
Hold it up in the air and see if you catch any of the house/office/car keys that people are throwing all around.
--
codk
So do cars, baseball bats, metal poles, knifes, toasters, anti-freeze, bleach, duct tape applied over the mouth and nose, yard chemicals... I could list hundreds of tools that kill things (pets, adults, and children included.) It doesn't mean I'm going to use them for that purpose.
Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
A linux build is available here. It's an firefox addon file (xpi). I have it up and running on Ubuntu fine. You'll need libpcap installed obviously.
You need to make sure you run firesheep-backend --fix-permissions as root manually before it'll work. You'll find this in Firefox's plugins directory.
All info taken from here.
that's you're business.
No, that's your business.
Well now I think you both aren't putting analogies to good use. In Pojut's case, it's not a matter of life or death so it seems drastically exagerated. In your case Zeek, you have understated that the tools Primary focus is to preform an act which without permission is considered illegal.
It's easiest NOT to analogize it - everyone here can understand what the tool does, and what its focus is. The tool is designed to give access to another person's web account via insecure wireless transmissions.
Using that to test your own security is like a lot like a white hat exposing vulnerabilities. The problem is that this vulnerability is public and made incredibly easy. Google accidentally (or so they claim) exploited this vulnerability, and are under a lot of flak for it.
So - to wrap this up with a good car analogy, since your guys' analogies have failed,
It's like giving someone a fueled up Google car capable of sniffing Wifi for usernames and passwords.
Trucks are for stealing. Action implied by its nature.
That is his point. You're making it redundantly twice for him.
There are two types of people in the world: Those who crave closure
Many people who own trucks might argue with your statement.
Firesheep is as legal as Limewire... Oh wait.
Come on! You're using this software to break into the other person's computer and modifying their data... oh wait.. Um.. okay, you're using this software to log onto a publically-accessible web server owned by a third party to modify data that was consensually released to The Cloud by a... aw jeez, nevermind.
This would be a valid analogy if guns were meant to expose a critical weakness of the human anatomy. But of course guns are not made with any of this sort of journalistic intent. Firesheep is only an effective medium because many people have used it and brought it into the media spotlight. And while the media's interpretation of its message has generally been, "How can we protect ourselves from this trivial exploit?", the author's intent is undoubtedly to ask why major social websites are not taking these overt security risks seriously.
The primary purpose of the tool is to publicize poor security practices at major social web sites.
The primary function of the tool is to automate the sniffing and use of a session cookie.
If you think Google was sniffing session cookies you are an idiot.
That the exploit only works on a network that the computer doing it can access makes it easier to do on open networks, but Firesheep should work just fine over networks that use WEP.
Nerd rage is the funniest rage.
It's more like saying here's a list of car makes and models that don't have functioning locks even though their owner's think the locks work.
One last thing: Sometimes I wonder; "Is that someone's signature? Or do they type that at the end of each post?"
So how about "here is a key duplication kit, have fun"?
comment first, facts later. http://chem.tufts.edu/AnswersInScience/RelativityofWrong.htm
A lot of people may not remember but MS tried to blame the "tools" back when the first MS TCP exploits started showing up in the mid 90's. Remebver winnuke.c in 1997? You could send OOB data packets from Linux and Samba (and eventually from other Windows machines) to Windows machines which would kill any Windows machine instantly. MS played this off as rogue software that is doing things that it shouldn't as the real problem, not their faulty TCP stack that handled it poorly. Even news releases were worded that way blaming others for the problem. They did release a patch over a month later. Remember Land and Teardrop? MS had the same response then as well. Although Linux and several others were affected by that too but the owners took responsibility for it and fixed it without blaming it on the boogy man.
I am business?
Filthy, filthy copyrapists!
"Loaded guns aren't necessarily about murder of humans."
But killing everything else on the planet is perfectly acceptable unless humans say otherwise, right?
Filthy, filthy copyrapists!
I agree, the problem with Fuckbook is that half the girls are fake or just friend whoring. Craiglist is much better.
that's you're business.
No, that's your business.
Your right, my bad.
Now the danger of unsecured wireless is no longer something that only tech heads know about. When you make it easy like this, it gets a lot of attention quickly. This makes it much more likely for websites to fix it. To be honest with you, I thought that gmail had been converted completely to SSL after the incident with Chinese authorities breaking into the accounts.
Really? Show me where I can buy a loaded gun.
Every day we live with the fact some random asshat could punch us in the face, but we don't walk around with football helmets on the street do we?
Security isn't black vs. white.
"Escorted" can mean many things. You assume the store owner was trying to get rid of the customer. But perhaps the store owner was providing an escort to ensure the customer, giddy over the purchase of their new firearm, was able to find the door. Or maybe the "escort" was from an escort service, in which case I'd like to inquire: where was that gun shop again, and what is the cheapest firearm they sell?
To play devil's advocate using your example it'd be the same as selling "child poison" and saying there are plenty of other things you could do with it. :) I don't disagree with you that tools can be abused for non-intended purposes, but this software is being promoted for its intended purpose. The fix is stronger security protocols of course, but I couldn't resist the analogy - sorry.
This is the same old debate...when are you all going to see that this is a morals issue and nothing else?
Gun Laws) People will shoot people if they intend to, whether with guns they get legally or illegally. It's probably safe to say the vast majority of legal gun owners would never say anything like, "Eh...well I have this gun I bought legally, and I think I'm going to go shoot someone..but if I didn't have it right here, I'd probably just stay home on the couch."
Prop 19) People will smoke pot if they want to, whether it's legal or not. If it becomes legal, the people who don't smoke pot should continue to not smoke pot - unless, of course, the only reason they didn't was because it was illegal and they didn't want to get in trouble. Others should continue to value their own reasons and not masquerade as some governmental-moral-machine. "I don't do it because the government says it's bad!" How pathetic is that.
Firesheep) People will h4x0r uR 4cc0untz0rz & uR b0x0rz if they want. Firesheep doesn't actively or automatically attack peoples' accounts - it's YOUR decision to use the information you've gathered for whitehat or blackhat reasons. Like many others have stated, nmap, ping, traceroute, and all of their friends in /usr/bin have been around for a long time. It's just as easy to use other tools. The problem is, website admins that are suspect to these vulnerabilities don't give a sh*t about, or plain just don't understand, basic website security. I would love to assume that with how profitable Facebook is, they'd have the brain power to fix this vuln. when they realized it was a very easy thing to exploit.
By the way, I'm really baked right now so if any of this is incoherent my apologies. ;)
It is pitch black. You are likely to be eaten by a grue.
The fact that this software shows whether a wifi site is open or not is a very good thing. There was some babble by an ignorant British politician about illegal rubbish. Again, the politician was an IDIOT! For YEARS, police have told people: if you leave your house, close the door behind you, and oh by the way, you might consider locking that door. Likewise the car: don't leave it unattended, with the keys in (and still running). If you are going to leave it, shut it off, close the door, and oh, yes, lock the door. This application quickly tells about locked doors and unlocked doors. I am sick and tired of politicians saying 'oh, no don't allow them to look for that' and I'm saying "CHUCK YOU FARLEY!", if you buy the house, if you buy the car, IF YOU BUY THE COMPUTER!!!, then learn to fucking use it! Quit being a moron! Learn to lock the door! I don't mind showing people who are willing to help themselves, but I get real testy about suffering fools gladly. If you door was locked and you got hacked, I will help you. I will get real forensic about tracking who got in. BUT: If you had no security, don't know about it, don't want to know, didn't lock the door, and can only bitch, then you bent over willingly sparky, they bum fuked you and you showed them where to enter. Don't go on about feeling dirty and needing a shower! You painted a target on your butt, you tore a hole in the back of your pants, and let them do as they wished, bending over and crying out "More! More!". I don't have sympathy for you.
I respectfully disagree with the loaded gun analogy. Accessing another computer requires programming and networking knowledge, even if it's just a terminology that you have to know. Average human being does not posses such a knowledge, so it would be more like comparing it to an alien gun that only aliens can use (like District 9 movie guns). And suddenly you give humans that "alien arm" that can fire the gun. Without that "arm" humans would never be able to fire this type of "gun".
If some busybody tried to "escort" me out of a store for simply buying something, I'd tell them to reverse the whole transaction immediately.
Just bring your own ammo and shoot that fucking guy.
Thank you, Edward Snowden.
"Arguments from authority are worthless." —Carl Sagan
regarding everything from the ethics of releasing the code
For Christ sake, it's been years that we (slashdot readers) all know what's going on about session cookies over an unencrypted wifi like at Starbucks and so on. Releasing Firesheep just shows everyone that aren't tech savvy how much SSL is important, and how easy session hijacking can be. Releasing Firesheep could only make some good in this regard, as nobody was moving forward, including major social networking sites. This is exactly the same as when you release a security fix: you should at the same time, disclose what the issue is. Here, it's been decades we know, and nobody is doing anything.
We can go in a room if the door isn't locked, with a big sign "get in, free entrance". Well, isn't it time to think that maybe, having a door might help? I'm not even talking about a big lock, or making the room nuclear explosion proof, but maybe just a simple door with a lock could help? No, it's better (according to people that TFA's correspondents) to blame those shouting there's no door...
Now, it's going to be interesting to see if these social networking sites will finally do the move to encryption. And it's not as if it was a technology so hard to implement is it? So what the hell are they waiting for? Maybe they feel like having databases of stolen accounts sold in the wild, so they can say "oh, look at bad guys"? Come on... Do your homework, then we'll talk again.
No, the real problem was with the script kiddie morons deploying winnuke.c.
To have a right to do a thing is not at all the same as to be right in doing it
Dude, I'd forgotten about that. I was working 2nd line at the time, and a few of us were messing around with it, knocking out each other's PCs for lulz. Until one guy whacked the Exchange server...!
You should not be allowed anywhere near firearms.
To have a right to do a thing is not at all the same as to be right in doing it
You're saying information over an unencrypted link was...private?
Sorry, I'm having difficulty understanding how you came to your conclusion. If it's an unencrypted link, it's unencrypted.
My argument is indeed that people don't know nor should they be required to. "We bother with SSL icons, etc." so that the people who know about such can check that everything is in order. But people should be able to expect that when they log in to a site, the communication is between them and the site. Do you really think that they intend the communication to be public just because they don't remember/know enough to check SSL icons and whatnot? No? Then the "If it isn't encrypted, it isn't private" argument really doesn't hold water. Hell, Google doesn't offer image search over SSL but I still consider my image searches to be private. It is unethical to exploit that security flaw.
Let's look at this way. When you are speaking, you are broadcasting sound. Your neighbor might be able to spy on it by using specialized microphone he targets towards your house. Does that mean that what you say inside your own house shouldn't be considered private and that it is ethically OK to do that? No. Or well, at least I don't think so. Your views might differ.
It's probably easier for more people of less intellect to get hold of a gun, than it is for them to use Firesheep effectively.
Using it for research and with consent is a rational choice. Not one thing that involves guns is rational.
What I love is that the same people who say "this is just software, it's not the developer's fault if users happen to use it for illegal/immoral purposes" are the same ones who come on and demand death-by-torture for spammers.
To have a right to do a thing is not at all the same as to be right in doing it
startkeylogger
the perceived problem was that ms didn't want to patch it, nor were there easily installable tools that would've filtered those packets. a more accurate description of the problem was that those flaws were in the implementation in the first place(and that a single subsystem fault escalated to a total bsod).
what it did do though, was to expose a lot of incompetent sysadmins for being totally incompetent to run their jobs - previously they had been just janitors, hanging around posing the they knew better than the kids - whilst they didn't know better than the kids.
besides the real fun only started when the win32 port of the exploit appeared, maybe at some point some 'experts' were arguing that constructing raw packets should be illegal without license(which, if you think about it for even a minute, is totally stupid, as it would create a club of people who have the rights to develope).
firesheep is just another gui to something we all had access already to as well. it's what you do with those tools what matters, using wireshark is mandatory in many university courses and such tools help you deduce how things work.
world was created 5 seconds before this post as it is.
being public and extremely easy can't be the problem, if it's not public it doesn't exist and something being easy is just a matter of perception on things that are doable.
on top of it, it's just software. software which could be recreated by hundreds of thousands of people on earth if they were just told a single sentence about what it does.
world was created 5 seconds before this post as it is.
You've obviously never bought a gun at wal-mart. They have the best prices on new Ruger 10/22s.
From that sketchy guy in the back alley, just make sure you aren't wearing the wrong "colors".
By your logic we are to assume that any vehicle capable of holding cargo is a theft tool and the owner a thief. So the question is are you a thief or do you drive a tiny stripped-down moped?
The tool is designed to give access to another person's web account via insecure wireless transmissions.
As you're not the person who designed the tool that statement is at best an assumption. How can you know what the design intent was? The designer has stated that it was designed to expose and bring attention to the security flaws so there would be more pressure for them to be fixed.
Nothing here is being 'unlocked' no key is needed. There is no encryption being used, it's all plain-text data.
What I love is that the same people who say "this is just software, it's not the developer's fault if users happen to use it for illegal/immoral purposes" are the same ones who come on and demand death-by-torture for spammers.
In your example the spammers are the users and not the developers so I fail to see the hypocrisy there...
Addendum: Sometimes the spammers are both user and developer but it is what they do in their capacity as a user (send us boatloads of spam) that causes them to be so hated. (Sorry for the double post, I thought of that case just after hitting submit)
Agreed.
I support the Slashcott and will not be reading or commenting from 2/10/14 to 2/17/14. Beta is steaming pile of dog shit
It would have to be something like 90%* off before I would give up that much self-respect.
*What can I say? Everybody has their price.
I support the Slashcott and will not be reading or commenting from 2/10/14 to 2/17/14. Beta is steaming pile of dog shit
If notice your neighbor left their window open and starts undressing, do you let them know their windows is open?
And do they blush and thank you?, or call the cops and report you as a peeping tom?
If "having someone else carry the merchandise I purchased to my truck and load it in the back for me" is "giving up self-respect", I need to find a way to give up more of it.
I don't know where you come from, but where I'm from self-reliance is a virtue. Places that offer to carry things for me make me feel awkward, it's like what do I look like, an 80 year old woman? I don't need help performing basic functions, thanks. And if it's made mandatory that somebody else perform those basic functions it's even worse. That's why I don't buy gas in Oregon. Do it your damn self and be proud of it, and fight for your right to do it yourself, or you may find in the long run that you should have been more careful what you wished for.
Goddamn people are fucking lazy sheep these days, practically begging for somebody to run their lives. I suppose it's how people were raised. Kids think they're entitled to instant gratification for every whim, that somebody's going to do the work for them and be thankful for the privilege. When I was a kid, if I was cold I went and split the logs myself, made a fire and tended it as long as I had to. And I was raised to see that as an honor not a chore, one that I had to earn through responsibility, as gaining self-respect through laboring for yourself instead of leaning on somebody else. If somebody labors for you when you could have easily done it yourself, you lose respect, and you should lose pride. It seems most people these days have tons of "self-esteem" but nothing to be proud of, so they have nothing to lose, so why not let somebody else do the work for you? It's convenient. Yeah, that's what good character is built on.
Makes me want to go split some wood. Heh, all this righteous indignation may finally even be the catalyst necessary for me to do some yard work and clean the gutters. Fucking leaves.
I support the Slashcott and will not be reading or commenting from 2/10/14 to 2/17/14. Beta is steaming pile of dog shit
There are tasks we all have to perform to get by in this life, but it seems silly to me to define your own self worth through the effort you put into such tasks. I'd much rather define myself through the things that matter to me and the things I'm passionate about, rather than the tasks I needlessly made more difficult and still managed to finish.
I don't get done cleaning my toilets every weekend and think "I'm proud of the excellent job I did of sanitizing this bowl.", I think "Yay, that chore is done, now I can move on to something less mind-numbing."
I don't finish mowing my lawn every week and think "The 45 minutes I just spent mowing makes me a better person.", I think "That chore's done, time to clean the pool."
I don't finish cranking out 500 shotshells every month and think "The shells I have re-loaded are vastly superior to what I could have bought at the store, the guys at the range are gonna be jealous.", I think "I just saved $100, so I can afford to go skeet shooting more often." From my point of view, the 'self-esteem' and 'self respect' issues are reversed. Why do you have self esteem or self respect for doing the same thing everyone else does? It's like putting a 'participation trophy' above the mantle and telling everyone how proud you are to have received the award everyone else involved got. Do something special or meaningful, and have self respect and self esteem because you did those things. Being proud that you did stuff you don't enjoy just makes you seem like a masochist.
Doh, forgot to include my counterexample: Chainsawing. If you ever need anything chainsawed, I'm your man. That's a menial task I actually enjoy.
Most of the advertising content delivery networks (and this does include Google's AdSense) don't support https. Thus, if the social media site used https for the entire session, then they wouldn't be able to serve ads.
Huh ? Sorry ? WTF ?!?
No sorry it doesn't work that way. At all.
The ads work that way : You have a (javascript generated) IFRAME which pulls data from the ad server.
The ad server knows which URL this IFRAME was called from. They decide what ad to serve based on that URL.
This part works no matter whatever the protocol is. It could be FTP. It could even be off-line.
The actual important part is how the ad server gains knowledge about a page and decides what to show.
- Google : Indexes the pages. It doesn't matter if the page is HTTP or HTTPS. It has to be a page that the google bot can see (so it's important that it's not password protected, and that it's not blocked by robots.txt)
- Most facebook ad services : get information through Facebook APIs. The IFRAME-generating javascript is fed with more information (or can even tap leaked information). (so the ad server gets more than the URL) and the as server see information based on what the privacy settings are (if they are honoured) (so they get more than what a web crawler would see, which normally is just an empty "please log in to continue" page).
Again that has nothing to do with the transfer protocol and only with the Facebook API offered do advertisers +/- privacy setting.
or use https and break all kinds of network technologies (e.g. proxy caches)
Proxy caches are not a problem.
- What is critically important against identity theft is the session cookie or whatever is the token with which a user identifies. A tiny piece of data. And completely personnal (not cacheable at all not 2 persons will transmit the same info so there's no gain in storing it and replaying it).
- What must be privately controlled is mostly text. Again it's not a lot of data. And it's again users specific (I won't see the same thing on my FB home page as you, so there's no point that cache server stores my copy as you won't need it. In reality this is much more complex due to heavy AJAX but you got the idea).
- FaceBook relies heavily on AJAX 99% of what you see doesn't even exist as a page outside your browser. It's basically a long chat of requests and data answers. Not a useful page to cache at all.
- The only thing which could be cached and which is the same for every one are the static elements like the interface's graphics, audio. They are huge (compared to text, I mean) they are static (the same for all users) and are even served from a separate server.
- Only the users' photos are a little bit problematic. (They could be cached but would pose privacy problem if someone sniffs the URL).
So except for photo :
- No sensitive data can benefit from caching.
- The rest can be cached and as not-sensitive, doesn't need encryption.
And the whole thing doesn't even take into account distributed servers and load balancing (you don't rely on cache to lower stress on your server. You rely on having lots of slave servers. You push content from master to slaves. And the make so that user requests are spread across the slaves : just make sure that everyone connects to the nearest datacenter)
There is no way to have authenticated but not encrypted data
There are :
- Digest Access authentication
- Public Key authentication
etc.
But the problem is that it can't be used on nice Web 2.0 webpages with cool HTML graphics. Instead the browser display the classic boring login prompt.
and the browser security functions make it very hard to mix content from different sources.
Not if the web site doesn't do any silly cross-domain scripting or whatever.
And in fact, web applications like Meebo have proved that it's possible to handle the decryption/encryption of sensitive information entirely in client-side javascript software. So the entire website can show up as a uniformly HTTP website, and the Javascript takes care of encrypting the sensitive data before sending it, or decrypting it upon reception.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Oh My God! I must go out and buy a football helmet! How did I make it this far without being punched?!?!
Ummm, as long as you have opposable thumbs, buying a gun and some ammo is about the same as buying a loaded gun.
The CB App. What's your 20?
Thank you for explaining my point to captain obvious :)
The CB App. What's your 20?
It seemed like he needed to be beaten with a clue stick, and I was happy to accommodate!
There are two types of people in the world: Those who crave closure
"...it amounts to "Here's a loaded gun. Now, if you decide to shoot someone with it, that's your business." - by Pojut (1027544) on Tuesday November 02, @04:27PM (#34105208) Homepage
Per my subject-line above, the same thing happened to myself, albeit circa 2004, except I never intended to produce a "gun"... & the same has happened to Nir Sofer of NIRSOFT (who I had a LONG discussion via email regarding this happening to myself AND to HE), and Dr. Mark Russinovich of Microsoft too.
I used to hang around a forums called NTCompatible.com & one of the forums members there was using an OLD version of Apache webserver. That user told me he HATED how it left a screen up when he ran it under Windows (apparently, it wasn't implemented as a service at that point in those days). The best the guy could do was minimize it to his starbar, & he didn't like that (and he couldn't afford to buy a commercial one).
So, myself just being the "good neighbor" on that forums, I wrote him up a simple app that allows a user to launch an app "invisibly", because he didn't know how to code (additionally, the app's not 'scriptable' like a malware would be, you had to do it manually & select the app to launch thus, via a file-open type dialogbox, & it uses what most compilers provide (a "spawn" C/C++ type command, which have parameters for launching things invisibly).
In the end - He was happy, & it only took me 10 minutes to write it up for he, so I was happy to help out a pal online.
The problem? Well, next thing I know??
Heh - I was surfing the web one day in 2005 or so, just to see where all of my apps I wrote circa 1995-2006 ended up: I found it on Computer Associates' website, listed as a MALWARE (albeit, with "ZERO/0 threat level")...
This was a GIANT SHOCK to me in fact...
I went looking for apps I wrote, as it's nearly IMPOSSIBLE to keep track of apps unless you keep a website with an agreement to ONLY download from YOUR website (this is not a cost I wanted to ever incur in running a relatively "larger scale website" personally, because I had websites that "bandwidthed out" many times in the late 1990's with apps I wrote (See, despite ISP's saying "unlimited bandwidth"? You are LIMITED! Another classic case of false advertising you've all probably seen before)).
So, I just directly uploaded my apps to big sites like ZDNet, CNET, etc./et al (but others began listed my apps all over the place, which was out of my direct control & ability to control).
Needless to say - WELL, this PISSED ME OFF TO NO END!
Why???
Mainly because CA even listed it under my MIDDLE NAME + LAST NAME, rather than my first, middle, last name (links with this are below). I don't search for myself under my middle & last name, only first, middle, & last name!!!
(I.E.-> CA listed it under Peter Kowalski, minus my 1st name Alexander, so I'd most likely NEVER end up finding it, or, so they thought).
In the end????
I took this to an attorney (John Lowe Jr. of Hiscock & Barclay - referred to me by my normal attorney for other matters whom I retain for those purposes, she's great at those, but not this type of thing), who said I had a WINNING CASE vs. CA, for libel of myself, to the tune of $150,000 U.S. Dollars!
The attorney 1st suggested I take their 21 point test and I passed it on EVERY SINGLE POINT, not violating even 1 of their constraints! I even spoke DIRECTLY to the head of CA's antimalware suite on the phone, a Mr. Craig Jensen, who @ first was pretty cool about this, & having my app removed there... & then later the next day, suddenly, he "flipped the script" and gave me ALL KINDS OF SHIT & told me never to call he again.
I then asked the attorney (John Lowe Jr., of Hiscock & Barclay) when we could proceed w/ legal action vs. CA, & he told me that yes, even though I had a winning case?
Taking on the likes of a company the s
Kids think they're entitled to instant gratification for every whim, that somebody's going to do the work for them and be thankful for the privilege. When I was a kid, if I was cold I went and split the logs myself, made a fire and tended it as long as I had to
Are you sure you are not 80 years old :-)
Still, being a lot younger than you , i also see self-reliance as a virtue , and most of the people of my age think about that exactly the same way.
The problem is society as a whole : it's easier to handle a dumb crowd , that relies on you for survival , than people who know what they want , and won't be fooled around.
As a result , schools train you to be mindless puppets.
Don't think to much about it though . It's easy to get paranoid.
Hah, I stumbled upon this while looking for information about Firesheep:
http://www.cafepress.com/shopclark/744267
Hilarious, IMO. Gonna buy one right now and wear it to Starbucks!