It runs, it just doesn't boot by itself. You have to push stone 23 half an inch to the left, and hold it during startup, until the system clears and you can see the moon. (Half an inch doesn't sound like much, but yes, it is.) Sometimes you have to push 22 the other direction, too, depending on how cold it is.
And then you have to jiggle the Heelstone a few times if something gets stuck. Usually, like I said, it's stuck on the stupid obsolete bluestones, half of which are frickin missing so the entire subsystem doesn't even work. Yes, that saved some money when originally built, but sometimes you just have to throw away your first attempt.
Also you can only boot it when the moon is waxing. If it's waning, all results are misaligned by about 2 degrees due to the idiotic northern Aubrey holes being slanted. (That's what the problem is assumed to be.) I don't know whose idea those were, either.
Men and women want different things. Men and women value different things, short term, medium term, and long term.
Hence they enter different careers, they have different hobbies, they arrange their social life different, they enjoy different types of video games, etc.
For some reason all the debate is about what men and women can do, instead of what they want.
The inability to grasp this has resulted in such absurd levels of 'crying wolf' about sexist that actual sexist incidences get ignored.
The reason women don't do FOSS is not that they're unable to do. The reason women don't do FOSS is not that they're discouraged from programming careers. The reason women don't do FOSS is not that they're forced out by sexism.
None of those are true. The second was true once, but none of them are true now. The reason women don't do FOSS is that they don't like to fucking program web servers in their spare time. Why, I don't know, but a better question might be why the hell some men do.
But that's not an important argument to make. It matters not one bit if any person likes to do that or not. If they like it, they should be free to do it in the same meritocracy as everyone else...and they are. They just don't want to be in the meritocracy.
But we have moronic 'feminists' looking for things to complain about who notice a gender imbalance, and the idea that men might like to do something in different proportion than women never enters their heads. But a large number of programmers now are female, so clearly the FOSS community must, somehow, be either deliberately rejecting said women, or just have a horrible working environment.
Luckily for that thesis, a lot of FOSS people are rather unskilled socially and thus one or two examples can be found, and, tada, another thesis proved, it's time for Superfeminist to fly away to save some more imaginary women and generate more ill will for 'feminists'.
Meanwhile, right now, nurses are still seriously underworked and overpaid, and it might be a useful thing to get traditionally female professions to actual pay equaliy with male professions. But Superfeminist don't like to pay any attention to mostly-female professions because, according to her logic, such a profession must be actively discriminating against men. (As opposed to men simply not liking nursing.)
No, maybe you're homophobic and only date straight people.
So you're willing to date straight men and women both, but have figured out the logical paradox there and stopped asking out men that you became immediately were prejudiced against when they said yes.
It's like Groucho Marx's "I would not join any club that would have someone like me for a member.". 'I wouldn't date any men who'd date someone of my gender, because they're probably one of those f******.'
I think a lot of people here have become confused as to what 'sexism' means.
Some people here are acting like it means 'misogynistic'. Which would be if people were talking about 'slapping bitches around' or something.
Other people here seem to think it means 'bigoted about genders'. (Which is, indeed, what sexism means.) Which would be if people actually treated fellow OSS coders differently based on gender.
But neither of those are actually what's going on, except via trolls.
What's going on is people simply saying thoughtless things and behaving unprofessionally and making people uncomfortable by presenting images of sex, sometimes to the extent of creating a hostile environment. Sexual harassment and sexism are not the same thing.
Statistically, a larger portion of the coder population has ADD than would be normally expected. Especially the people who code for fun. Even accounting for gender differences.
If we assume some sort of variable, called X, that at 100 results in ADD, and at 50 makes someone want to code for fun, and then we assume that this is more likely in men, we can easily explain the rates of men in OSS using the rates of men with ADD.
People trying to point to what the various genders want to do as an example of sexist are just stupid. The genders sometimes want different things on average. Yes, there's a question if we're pushing people away from considering things because of sexism, but there's also the damn fact that a lot of men don't really want to be nurses. (To pick a rather uncontroversial example.)
A woman might be fine as a programmer as a job, and, just like a lot of people, be good at her work without particularly enjoying it.
But such a person is unlikely to end up doing OSS.
Dude, that's not the problem. The key server's working fine, it's just the previous admin didn't document anything, so no one knows how to issue any more without doing the entire thing manually. (And drawing giant figures in by hand? No fun.)
Avesbury is completely trashed (half the stones there are uncalibrated replacements)
And the rest are uncalibrated originals.;) Seriously, total crap.
Stonehenge was originally just a backup ring in case the Avon flooded: I bet you couldn't get a millithaum per second out of it even on the equinox AND with a FULL team of chanters on hand.
Stonehenge won't even boot anymore, because it's a stupid in-place restore over the damn original bluestones. It needs a full pull-down, leveling, and rebuild.
Users shouldn't turn it on, sites should. There should be an HTTP header that says 'Even if this came over an SSL link, it does not contain any private information, and you should feel free to cache it on disk.'. Web servers could add it to all static images by default.
Right now, it's all put in the session cache, but there's plenty of stuff, like images and CSS, that could stay around without any security concerns at all.
What would also be nice is, while you're doing that, would be to be able to put that cacheable SSL content in non-SSL pages. (That is not a security issue...the other way around is.) So that you could hand them, on your starting page, your background graphic over SSL, and get that cached and used on all pages, both SSL and non-SSL, even if they had not clicked 'Login' and entered the SSL area of your site yet.
Yes, you can use pre-loading and cache it in the background, but the point would be to use a single URL on the entire site so it's only downloaded and cached once, preferably on disk, instead of being cached once SSL and once non-SSL.
...now that I think of it, I'm not entirely sure what happens if you have SSL content on a non-SSL page. Pretty sure you get a warning, or Google Analytics wouldn't have that goofy code in their javascript. Does anyone know what the point of this warning is? The whole point the other way around is so you can't hijack the pages marked as secure by replacing non-secure elements...what the hell is the supposed issue if the page isn't marked secure?
Forget 'fingerprint'. Like I said somewhere else here, banks should give out CDs with a branded Mozilla Prism or something on them, designed to only connect to their site, and has an icon in your Start Menu to do just that.
If users don't access their bank via their web browser, they can't ever be MitMd.
And someone's about to say 'But what about Linux users?'. Firstly, Prism works on Linux just fine, but more importantly, there's nothing stopping the bank from having a login accessible from outside their 'banking application'...and just tell the people who need to know where it is, not most people.
If 95% of users access their bank only through a 'banking application' and not via the 'web site' (Even though, of course, those are the same thing.), that's 95% of users who aren't subject to MitM. (Well, except via infection, but you can't stop that.)
Let people run it off the CD and put it on USB drive to run it places they can't install software. Be sure to make an iPhone app also. Have a Java version. It's just a damn web browser that looks like a program.
And, even better, you could eventually incorporate such things as real-time confirmation of CC purchases. And easy-to-use single-use CC numbers.
If you make key certification a separate, explicit step that the user has to actively pursue (which is what all pgp implementations do), then you don't have to worry about clueless users "accepting" a shady key and it being forever trusted after that.
I think you've managed to say it much better than all my bitching about this issue has.
SSL is like if the only way to protect an area on the internet was to build cardboard walls with people walking around outside them ready to defend against attackers. This allowed people inside to safely recite credit card numbers and whatnot.
But some people wanted, you know, some privacy without having to rent defenders. Yes, without defenders, people can batter their way in. Or insert cameras and spy on us. We know that.
But without walls, they can just walk in. Or stand there staring at us and write down everything we say. Yes, we're not saying credit card numbers, but that doesn't mean we should have no privacy for our game of Magic the Gathering or whatever.
For the longest time, some people just painted defenders on the cardboard walls, which wouldn't help if anyone attacked, but satisfied the requirement that some defenders existed.
And people got used to that, and would happily walk past one at any time...even if it was supposed to have been at their bank, who logically should have had real ones.
Everyone realized this was insecure, so cardboard paintings were outlawed, and all the walls with people painted on them were torn down.
If an attacker has the means to intercept such traffic from general users, then what good would SSL be anyway?
No shit. If someone can MitM wamu.com, or, more likely, hijack the DNS, everyone's screwed anyway.
All the attacker has to do is replicate the site without SSL. People will go there, login, whatever, and won't get SSL errors because the attacker's not using it.
Incidentally, the easiest way to stop attacks on banking website would be for banks to give out CDs that installed something like Mozilla Prism, a nice fancy branded icon that went straight to the banks web site (But not the public one.), checking that it was not only signed but signed by the right cert company and had the correct MD5 sum and everything.
It could update itself via some custom protocol...I would recommend just leaving the old SSL site intact, with the old cert, and putting a redirect on it (Along with expected MD5 and whatnot.) to a new one.
This application could also run off the CD, or install onto USB drive, for people who wanted to access their bank somewhere they couldn't install it.
If no one's ever expecting to go there in their web browser, but instead in their 'bank program' no one will fall for a MitM. And if they're given them on CDs, handed out at their bank (Big stack by the door, or the teller gives them when you sign up for online access.), they won't fall for download links.
I.e., SSL to stop MitM banking transactions is sorta solving the wrong problem. It is trivially easy to know we're actually dealing with our bank, because we have physical contact with our bank in advance of any electronic contact. They just need to give us something to help with that.
As an added bonus, their web site designers no longer need to code for 10 different browsers.
No kidding. How hard would it be for the router to actually vaguely explain what OSes can be expected to understand each type of encryption, and which you should use unless you have Specific Older Device or have discovered that some device you have doesn't work. What, do they have 32k of firmware room and no space for explanations?
Of course, most router control panels appear designed by idiots anyway.
All browsers would have each registrar's root CA certificates in their CA store. When a person registers a domain name, the registrar also gives them either an issuer certificate for that domain or a wild card certificate for that domain. The person could then either use the issuer certifcate to make more (www.example.com, store.example.com, etc.) or just use that wild card certificate (*.example.com).
....erm, does OpenID support HTTPS? How does that work? You'd need to specify https, and then the OpenID site would need to spring for an expensive wildcard cert.
Which they won't for their free OpenID service.
OpenID does not solve the problem people are talking about solving.
In fact, OpenID doesn't really solve any existing problems at all. It would be a cool concept if, you know, web browsers didn't store login cookies and names and passwords. But as they do, it is hard to see what OpenID is bringing to the table. It's a cool idea, and I wish them luck, and there are ways I can see it becoming incredibly useful, but saying 'OpenID providers can get SSL certs' is not actually a solution to this.
Moreover, it only protects logins. If forums actually had SSL, they'd probably start using it for most private areas, as CPU time is now so cheap. Private messaging, user config, whatever.
Except, if you don't verify the identity of the recipient, encrypting data is as much use as putting a steel door on a tent.
You know, you hit that analogy perfectly, but apparently did not bother think about it.
A steel door on a tent is much better than no door on a tent.
Let me guess: You think locking a car or house is a waste of time, because any fool can break in via windows? You think it would be better if we couldn't lock our car or house, because locking it gives us a false sense of security?
Perhaps, you should maybe consider that those of us who want a little more security know exactly what we're asking for and what the weakness of it is, but think sometimes a small level of security is a better choice than none?
That maybe we think protecting web forum password from sniffers, and from man-in-the-middle attacks because it saved the cert when you went there the first time, might be a vaguely logical thing to do, and yet those thousands of forums are not going to purchase SSL certs?
Oh, and while we're at it, companies would no longer have to fuck around with self-signed certs for intranet sites.
This is the biggest problem I have with SSL, that no one ever bothered to set up a system for encryption without authentication.
Which would, for one thing, make it much harder to sniff paswords. (Yes, yes, there's HTTP Digest...if you use HTTP auth, which no normal web site does.)
No, not if the company actually asks for it. It is certainly not anticompetitive to not do business with a company that has stated they don't want to do business with you.
Murdoch, however, is not the company.
The correct response to Murdoch's moronacy should be for Google to state publicly that 'News Corps' is apparently under the impression indexing requires permission, and that Google somehow doesn't have that permission.
They should express uncertainty if Murdoch is speaking for News Corp, and give News Corp the opportunity to issue a statement that they disagree with Murdoch and he wasn't speaking officially, and that they do not think Google is 'stealing' anything.
If News Corp does not do that, Google should say:
'Okay, we disagree with the idea that people can charge us for indexing their stuff...but we'll play along with the idea for now. Sadly, we can't actually operate our business in this manner, so we're going to have to stop indexing your stuff. (Here is the list of sites we know is owned by you.)'
'Please let us know if you detect us 'stealing' any more of your content.'
Most AT&T customers do not go anywhere near 100MB of data and are perfectly willing to pay a flat $40 monthly fee.
Indeed. I have an iPhone, and I do a lot of data transfers on it. Lots of stuff, up and down. When it was jailbroken (When the hell is the jailbreak for 3.1 coming out for Windows?), I even put scummvm with huge 600 meg games on it via scp.
But I did that all, of course, over my wifi, not the cell phone network.
I'd love to have some sort of restricted plan. Hell, I don't even need 100MB...how about 10MB? That should be enough to look up when a movie starts or even load a Google Map a few times a month.
I'd make sure I was on wifi when I synced my RSS reader or bought a new app. In fact, they could make new purchases of apps or music or whatever wait for wifi if the user wanted.
They could even make push notifications that you could restrict to just when you're on wifi. Which would not actually be 'push', but whatever. You would not have to launch an app to check it, the phone itself would tunnel into Apple and check for notifications.
Why won't they do that?
By cutting their bill by $30 you have just thrown away $30 of AT&T's profits.
Well, to be fair, you can't actually see your car engine.
I think most of us would try to crank it a few times before finally looking, and a good percentage of people, reasoning that they know nothing about cars and couldn't diagnose any problem, would not look. (Despite the fact, in this case, they'd be wrong.)
This example is more akin to asserting that your can will not move...and somehow not noticing that's because someone has stolen your ignition keyhole. (Whatever that system is called.)
How the hell do you even know if your computer works or not if you don't try to actually turn it on, and thus notice that it does not exist?
Because some computer users haven't bothered to learn the simplest facts about their computer. They are doing the equivalent of leaving a car running in park because they're too dumb to know where the off-switch is.
I'm sorry, that's a level of ignorance that isn't acceptable in modern society, especially among any profession who uses computers as part of their job. Some guy who doesn't use or own a computer not knowing what's going on when he sits down at one at the library, okay, but not someone who uses one every day.
And banks and whatnot should offer to email people who sign up for net access some sort of installable cert, or a program that checks if their saved cert is correct.
Seriously, SSL was stupid to start with. The SSL trust model is especially stupid.
Slashdot Mirror
It runs, it just doesn't boot by itself. You have to push stone 23 half an inch to the left, and hold it during startup, until the system clears and you can see the moon. (Half an inch doesn't sound like much, but yes, it is.) Sometimes you have to push 22 the other direction, too, depending on how cold it is.
And then you have to jiggle the Heelstone a few times if something gets stuck. Usually, like I said, it's stuck on the stupid obsolete bluestones, half of which are frickin missing so the entire subsystem doesn't even work. Yes, that saved some money when originally built, but sometimes you just have to throw away your first attempt.
Also you can only boot it when the moon is waxing. If it's waning, all results are misaligned by about 2 degrees due to the idiotic northern Aubrey holes being slanted. (That's what the problem is assumed to be.) I don't know whose idea those were, either.
They just leave it running most of the time.
Why? Do black people commonly discount people's idea because they are a women or have a different skin color?
Did you just call black people sexist and racist?
That sounds racist to me.
Men and women want different things. Men and women value different things, short term, medium term, and long term.
Hence they enter different careers, they have different hobbies, they arrange their social life different, they enjoy different types of video games, etc.
For some reason all the debate is about what men and women can do, instead of what they want.
The inability to grasp this has resulted in such absurd levels of 'crying wolf' about sexist that actual sexist incidences get ignored.
The reason women don't do FOSS is not that they're unable to do. The reason women don't do FOSS is not that they're discouraged from programming careers. The reason women don't do FOSS is not that they're forced out by sexism.
None of those are true. The second was true once, but none of them are true now. The reason women don't do FOSS is that they don't like to fucking program web servers in their spare time. Why, I don't know, but a better question might be why the hell some men do.
But that's not an important argument to make. It matters not one bit if any person likes to do that or not. If they like it, they should be free to do it in the same meritocracy as everyone else...and they are. They just don't want to be in the meritocracy.
But we have moronic 'feminists' looking for things to complain about who notice a gender imbalance, and the idea that men might like to do something in different proportion than women never enters their heads. But a large number of programmers now are female, so clearly the FOSS community must, somehow, be either deliberately rejecting said women, or just have a horrible working environment.
Luckily for that thesis, a lot of FOSS people are rather unskilled socially and thus one or two examples can be found, and, tada, another thesis proved, it's time for Superfeminist to fly away to save some more imaginary women and generate more ill will for 'feminists'.
Meanwhile, right now, nurses are still seriously underworked and overpaid, and it might be a useful thing to get traditionally female professions to actual pay equaliy with male professions. But Superfeminist don't like to pay any attention to mostly-female professions because, according to her logic, such a profession must be actively discriminating against men. (As opposed to men simply not liking nursing.)
No, maybe you're homophobic and only date straight people.
So you're willing to date straight men and women both, but have figured out the logical paradox there and stopped asking out men that you became immediately were prejudiced against when they said yes.
It's like Groucho Marx's "I would not join any club that would have someone like me for a member.". 'I wouldn't date any men who'd date someone of my gender, because they're probably one of those f******.'
I think a lot of people here have become confused as to what 'sexism' means.
Some people here are acting like it means 'misogynistic'. Which would be if people were talking about 'slapping bitches around' or something.
Other people here seem to think it means 'bigoted about genders'. (Which is, indeed, what sexism means.) Which would be if people actually treated fellow OSS coders differently based on gender.
But neither of those are actually what's going on, except via trolls.
What's going on is people simply saying thoughtless things and behaving unprofessionally and making people uncomfortable by presenting images of sex, sometimes to the extent of creating a hostile environment. Sexual harassment and sexism are not the same thing.
Statistically, much more men than women have ADD.
Statistically, a larger portion of the coder population has ADD than would be normally expected. Especially the people who code for fun. Even accounting for gender differences.
If we assume some sort of variable, called X, that at 100 results in ADD, and at 50 makes someone want to code for fun, and then we assume that this is more likely in men, we can easily explain the rates of men in OSS using the rates of men with ADD.
People trying to point to what the various genders want to do as an example of sexist are just stupid. The genders sometimes want different things on average. Yes, there's a question if we're pushing people away from considering things because of sexism, but there's also the damn fact that a lot of men don't really want to be nurses. (To pick a rather uncontroversial example.)
A woman might be fine as a programmer as a job, and, just like a lot of people, be good at her work without particularly enjoying it.
But such a person is unlikely to end up doing OSS.
More importantly, do any of you people actually believe this happens in the slightly amount?
I went through college a decade ago. I went to second rate schools in the South. If there was anywhere that was going to be sexist, it was there.
I saw nothing at all. No sexist comments or treatment whatsoever.
they've lost the Nazca Plain key server
Dude, that's not the problem. The key server's working fine, it's just the previous admin didn't document anything, so no one knows how to issue any more without doing the entire thing manually. (And drawing giant figures in by hand? No fun.)
Avesbury is completely trashed (half the stones there are uncalibrated replacements)
And the rest are uncalibrated originals. ;) Seriously, total crap.
Stonehenge was originally just a backup ring in case the Avon flooded: I bet you couldn't get a millithaum per second out of it even on the equinox AND with a FULL team of chanters on hand.
Stonehenge won't even boot anymore, because it's a stupid in-place restore over the damn original bluestones. It needs a full pull-down, leveling, and rebuild.
Users shouldn't turn it on, sites should. There should be an HTTP header that says 'Even if this came over an SSL link, it does not contain any private information, and you should feel free to cache it on disk.'. Web servers could add it to all static images by default.
Right now, it's all put in the session cache, but there's plenty of stuff, like images and CSS, that could stay around without any security concerns at all.
What would also be nice is, while you're doing that, would be to be able to put that cacheable SSL content in non-SSL pages. (That is not a security issue...the other way around is.) So that you could hand them, on your starting page, your background graphic over SSL, and get that cached and used on all pages, both SSL and non-SSL, even if they had not clicked 'Login' and entered the SSL area of your site yet.
Yes, you can use pre-loading and cache it in the background, but the point would be to use a single URL on the entire site so it's only downloaded and cached once, preferably on disk, instead of being cached once SSL and once non-SSL.
Forget 'fingerprint'. Like I said somewhere else here, banks should give out CDs with a branded Mozilla Prism or something on them, designed to only connect to their site, and has an icon in your Start Menu to do just that.
If users don't access their bank via their web browser, they can't ever be MitMd.
And someone's about to say 'But what about Linux users?'. Firstly, Prism works on Linux just fine, but more importantly, there's nothing stopping the bank from having a login accessible from outside their 'banking application'...and just tell the people who need to know where it is, not most people.
If 95% of users access their bank only through a 'banking application' and not via the 'web site' (Even though, of course, those are the same thing.), that's 95% of users who aren't subject to MitM. (Well, except via infection, but you can't stop that.)
Let people run it off the CD and put it on USB drive to run it places they can't install software. Be sure to make an iPhone app also. Have a Java version. It's just a damn web browser that looks like a program.
And, even better, you could eventually incorporate such things as real-time confirmation of CC purchases. And easy-to-use single-use CC numbers.
If you make key certification a separate, explicit step that the user has to actively pursue (which is what all pgp implementations do), then you don't have to worry about clueless users "accepting" a shady key and it being forever trusted after that.
I think you've managed to say it much better than all my bitching about this issue has.
SSL is like if the only way to protect an area on the internet was to build cardboard walls with people walking around outside them ready to defend against attackers. This allowed people inside to safely recite credit card numbers and whatnot.
But some people wanted, you know, some privacy without having to rent defenders. Yes, without defenders, people can batter their way in. Or insert cameras and spy on us. We know that.
But without walls, they can just walk in. Or stand there staring at us and write down everything we say. Yes, we're not saying credit card numbers, but that doesn't mean we should have no privacy for our game of Magic the Gathering or whatever.
For the longest time, some people just painted defenders on the cardboard walls, which wouldn't help if anyone attacked, but satisfied the requirement that some defenders existed.
And people got used to that, and would happily walk past one at any time...even if it was supposed to have been at their bank, who logically should have had real ones.
Everyone realized this was insecure, so cardboard paintings were outlawed, and all the walls with people painted on them were torn down.
And now we're...more secure?
The real joke is HTTPS pages with a form that submits to an HTTP page. Sorta a 'Ha, we tricked you!' page. Bonus points if it submits it as a GET.
I think modern browsers catch that and give a message, but I remember seeing that way back when.
If an attacker has the means to intercept such traffic from general users, then what good would SSL be anyway?
No shit. If someone can MitM wamu.com, or, more likely, hijack the DNS, everyone's screwed anyway.
All the attacker has to do is replicate the site without SSL. People will go there, login, whatever, and won't get SSL errors because the attacker's not using it.
Incidentally, the easiest way to stop attacks on banking website would be for banks to give out CDs that installed something like Mozilla Prism, a nice fancy branded icon that went straight to the banks web site (But not the public one.), checking that it was not only signed but signed by the right cert company and had the correct MD5 sum and everything.
It could update itself via some custom protocol...I would recommend just leaving the old SSL site intact, with the old cert, and putting a redirect on it (Along with expected MD5 and whatnot.) to a new one.
This application could also run off the CD, or install onto USB drive, for people who wanted to access their bank somewhere they couldn't install it.
If no one's ever expecting to go there in their web browser, but instead in their 'bank program' no one will fall for a MitM. And if they're given them on CDs, handed out at their bank (Big stack by the door, or the teller gives them when you sign up for online access.), they won't fall for download links.
I.e., SSL to stop MitM banking transactions is sorta solving the wrong problem. It is trivially easy to know we're actually dealing with our bank, because we have physical contact with our bank in advance of any electronic contact. They just need to give us something to help with that.
As an added bonus, their web site designers no longer need to code for 10 different browsers.
No kidding. How hard would it be for the router to actually vaguely explain what OSes can be expected to understand each type of encryption, and which you should use unless you have Specific Older Device or have discovered that some device you have doesn't work. What, do they have 32k of firmware room and no space for explanations?
Of course, most router control panels appear designed by idiots anyway.
All browsers would have each registrar's root CA certificates in their CA store. When a person registers a domain name, the registrar also gives them either an issuer certificate for that domain or a wild card certificate for that domain. The person could then either use the issuer certifcate to make more (www.example.com, store.example.com, etc.) or just use that wild card certificate (*.example.com).
Congratulations, you have just invented DNSSEC.
Next task: Get root registrars to actually publish and issue root certificates to the registrars.
After that, get browsers to support them.
....erm, does OpenID support HTTPS? How does that work? You'd need to specify https, and then the OpenID site would need to spring for an expensive wildcard cert.
Which they won't for their free OpenID service.
OpenID does not solve the problem people are talking about solving.
In fact, OpenID doesn't really solve any existing problems at all. It would be a cool concept if, you know, web browsers didn't store login cookies and names and passwords. But as they do, it is hard to see what OpenID is bringing to the table. It's a cool idea, and I wish them luck, and there are ways I can see it becoming incredibly useful, but saying 'OpenID providers can get SSL certs' is not actually a solution to this.
Moreover, it only protects logins. If forums actually had SSL, they'd probably start using it for most private areas, as CPU time is now so cheap. Private messaging, user config, whatever.
Except, if you don't verify the identity of the recipient, encrypting data is as much use as putting a steel door on a tent.
You know, you hit that analogy perfectly, but apparently did not bother think about it.
A steel door on a tent is much better than no door on a tent.
Let me guess: You think locking a car or house is a waste of time, because any fool can break in via windows? You think it would be better if we couldn't lock our car or house, because locking it gives us a false sense of security?
Perhaps, you should maybe consider that those of us who want a little more security know exactly what we're asking for and what the weakness of it is, but think sometimes a small level of security is a better choice than none?
That maybe we think protecting web forum password from sniffers, and from man-in-the-middle attacks because it saved the cert when you went there the first time, might be a vaguely logical thing to do, and yet those thousands of forums are not going to purchase SSL certs?
Oh, and while we're at it, companies would no longer have to fuck around with self-signed certs for intranet sites.
This is the biggest problem I have with SSL, that no one ever bothered to set up a system for encryption without authentication.
Which would, for one thing, make it much harder to sniff paswords. (Yes, yes, there's HTTP Digest...if you use HTTP auth, which no normal web site does.)
That analogy is not exact.
The real analogy would be if that guy, next to the free billboard for you, ran a billboard for himself.
I think everyone agrees that such behavior would be...erm...outrageous? And that you should get a cut of the profits from that other billboard?
Right?
Erm, you must be new here.
Slashdot readers do not, in fact, read the fucking article.
And, more to the point, we bitch and moan about the AP also, like when it started attacking bloggers who quoted it.
No, not if the company actually asks for it. It is certainly not anticompetitive to not do business with a company that has stated they don't want to do business with you.
Murdoch, however, is not the company.
The correct response to Murdoch's moronacy should be for Google to state publicly that 'News Corps' is apparently under the impression indexing requires permission, and that Google somehow doesn't have that permission.
They should express uncertainty if Murdoch is speaking for News Corp, and give News Corp the opportunity to issue a statement that they disagree with Murdoch and he wasn't speaking officially, and that they do not think Google is 'stealing' anything.
If News Corp does not do that, Google should say:
'Okay, we disagree with the idea that people can charge us for indexing their stuff...but we'll play along with the idea for now. Sadly, we can't actually operate our business in this manner, so we're going to have to stop indexing your stuff. (Here is the list of sites we know is owned by you.)'
'Please let us know if you detect us 'stealing' any more of your content.'
It's not really 'surfing' that's sucking bandwidth. I'm betting than purchasing stuff from the iTunes store is causing large bandwidth usage.
Most AT&T customers do not go anywhere near 100MB of data and are perfectly willing to pay a flat $40 monthly fee.
Indeed. I have an iPhone, and I do a lot of data transfers on it. Lots of stuff, up and down. When it was jailbroken (When the hell is the jailbreak for 3.1 coming out for Windows?), I even put scummvm with huge 600 meg games on it via scp.
But I did that all, of course, over my wifi, not the cell phone network.
I'd love to have some sort of restricted plan. Hell, I don't even need 100MB...how about 10MB? That should be enough to look up when a movie starts or even load a Google Map a few times a month.
I'd make sure I was on wifi when I synced my RSS reader or bought a new app. In fact, they could make new purchases of apps or music or whatever wait for wifi if the user wanted.
They could even make push notifications that you could restrict to just when you're on wifi. Which would not actually be 'push', but whatever. You would not have to launch an app to check it, the phone itself would tunnel into Apple and check for notifications.
Why won't they do that?
By cutting their bill by $30 you have just thrown away $30 of AT&T's profits.
Ah, that's why they won't do that.
Well, to be fair, you can't actually see your car engine.
I think most of us would try to crank it a few times before finally looking, and a good percentage of people, reasoning that they know nothing about cars and couldn't diagnose any problem, would not look. (Despite the fact, in this case, they'd be wrong.)
This example is more akin to asserting that your can will not move...and somehow not noticing that's because someone has stolen your ignition keyhole. (Whatever that system is called.)
How the hell do you even know if your computer works or not if you don't try to actually turn it on, and thus notice that it does not exist?
Because some computer users haven't bothered to learn the simplest facts about their computer. They are doing the equivalent of leaving a car running in park because they're too dumb to know where the off-switch is.
I'm sorry, that's a level of ignorance that isn't acceptable in modern society, especially among any profession who uses computers as part of their job. Some guy who doesn't use or own a computer not knowing what's going on when he sits down at one at the library, okay, but not someone who uses one every day.
And banks and whatnot should offer to email people who sign up for net access some sort of installable cert, or a program that checks if their saved cert is correct.
Seriously, SSL was stupid to start with. The SSL trust model is especially stupid.