You don't have explicit permission to connect to this webserver. Disconnect now and don't make further connection attempts before you have explicit permission.
Making a laptop connect only to access points that are meant to be open requires installation of a mind-reading patch that is pretty hard to come by. On the other hand, closing your access point to strangers is 2 minutes work with a web interface.
Why is it that you want to make unsafe networking acceptable? You're making things worse for everybody: The people without a clue get their data stolen because, if it's illegal to connect to a default-open access point, why bother with encryption? And the people who know their tech can't automatically use public hotspots anymore. If you were really out to help the computer illiterate, you would strive to make selling access points illegal which pose as open access points by default. Instead you try to impede a valuable and legitimate application of wireless LAN technology: Automatic free internet access through public hotspots. So what is your motivation?
I can see how you might interpret that as a genuine disservice to the owner.
I don't like to have my arguments misrepresented and mutilated like that. If you argue that an open access point should be protected by law from being treated as a public access point, you remove an incentive for securing access points. That is the only incentive that users can easily understand because they too can use other open networks without a problem. There is no special knowledge required to do that, contrary to what they would need to know to use a wireless LAN sniffer, which would show them the other strong incentive to encrypt their wireless network. Lack of demand for encrypted networks will keep manufacturers in the market that sell default-open access points. BTW, users who leave their AP open by accident are also the users who are most likely to use their neighbors' open access points by accident (their computers are set to automatically connect to an unencrypted network with a default SSID). This can cause exactly the same problems as intentional freeloaders if the user is a filesharer or worse.
what would you say initiates the connection?
The AP. The user's computer is typically configured to react to incoming packets. The AP is actively sending packets all the time. A laptop mostly listens passively to conserve battery power. The only situation where the computer initiates the connection is when the AP doesn't broadcast the SSID. In that case the computer regularly (in much longer intervals than the SSID broadcasts) tries to connect to known SSIDs.
The way this is relevant is that it's a pretty wild frequency band. There are not only wireless LANs but also Bluetooth, microwave ovens, wireless TV transmitters and lots of other things in that band. If you respond to anything in that band, you better know what you're doing. The access point has as much to do to establish a connection as the client computer. Let's not forget that the standard has no other way of declaring an access point open but to leave encryption off, and there's a good reason for that too: If you don't encrypt the network, everyone in range can read everything on that network, which pretty much is the opposite of private, don't you think? If your wireless network is unencrypted by accident, you have much bigger problems than "unauthorized" internet users. Anyone who argues that open access points should not be treated as public access points is doing computer illiterates a tremendous disservice by encouraging unsafe wireless networking. That argument alone should end this discussion, but apparently people prefer to pay lawyers instead of paying a tiny fraction of the legal fees to avoid legal problems altogether by having computer technicians properly install hardware that the user doesn't understand or by buying hardware that comes with a secure preconfiguration.
w/ SSID broadcast turned off, then you should be allowed to sue for unauthorized access
No, you should not. Turning SSID broadcast off will not keep others from accidentally connecting to your AP if their own wireless network uses the same SSID. At the very least you would have to set a non-trivial (i.e. random) SSID and turn of SSID broadcasting to have a case against unauthorized access. I really don't understand why people are so adamantly avoiding encryption. The same people who go to court to defend their precious private bandwidth apparently don't care that their private data is broadcast to everybody in the neighborhood.
I do not see anywhere in your argument provisions for communicating back to the AP
It's a public frequency band. I am allowed to transmit whatever I want, within certain technical bounds. All devices in that band are required to be able to deal with such traffic, for example by ignoring it.
I was responding to an analogy, not making one myself. I think analogies are a stupid way of dealing with wireless LANs, because wireless LANs are like nothing people regularly deal with. They're closest to internet servers: they are reachable over a public medium and they're under the control of their owners but autonomous in their operative decisions. But then people don't usually have internet servers, especially not the kind of people who accidentally operate open access points, so that analogy would be mostly useless. Your analogy also leaves much room for improvement, because it ignores that extraordinarily dim-witted drivers who take instructions from anybody are not very common in the real world. If there were more of those and the number of limousines that are meant to be used by passers-by wasn't zero, then we might very well think that you're an idiot if you don't instruct the driver to only drive you and people who use your "service" are not at fault.
When people use analogies to explain things that are no more complicated than the analogy (and you know that "an unlocked door" is a legal minefield), then they usually do so to move the discussion to an emotional level. It's an attempt to transport an established gut feeling about what's right to a different case. I fully support analogies when they're used to get an initial understanding of a process, but in the end you have to know the thing for what it is, not for what it is like, before you can pass judgment.
The people who created the wireless LAN standard fortunately had more sense than the people who involve the courts in these issues. The engineers knew that no wireless LAN can be private unless it's encrypted, simply because the physical layer is a broadcast medium. So yes, there is such a banner: An open AP does not demand encryption. We joke about the "evil bit", but somehow in discussions about wireless networks, there are always people who really want something that is equally pointless.
If you wear a sticker that says "Hi, my name is John", then you can't complain if I talk to you and ask you to give me a ride. If you then answer "yes, get in the car", you can't complain if I do get in the car and tell you that I would like to go to the next McDonald's. If you then drive me there, you can't complain that I hitched a ride from you and didn't pay you. An open router is a very friendly piece of hardware. It tells people that it's there, it hands out IP addresses and it routes strangers' packets and all you have to do is ask for the favor.
There is a reasonable threshold for "saying no". If your AP/website is indistinguishable from an access point/website that is meant to be public, then you're not saying no in a reasonable way. That is the only way the internet and public hotspots can work. If your AP uses WEP-40bit encryption, you're not doing what's necessary to protect your data, but you are clearly saying no to users who did not get the key from you. Likewise, even simple HTTP authentication is sufficient for making a resource private.
Yes, it is very much different from seeing an unlocked door. That's why intelligent people don't resort to analogies to discuss simple concepts like communication over radiowaves. The established standard has means of negotiation that allow people to use a shared resource without prior agreements. Using the standard is vital to many interesting and legitimate uses of the shared resource. You're advocating a restriction on useful applications to give technological nitwits the illusion of safety, while in reality their baseless assumption of being protected only causes them to be more vulnerable because they see no need to secure their networks. There is not even one good reason for punishing the use of open access points by anyone.
The rootkits that are written to the disk aren't the biggest problem. Like you said, one can "simply" look at the drive from a clean system. The problem is with rootkits that are only installed in RAM, while the system is running. The attacker exploits some hole in an application or in the OS and then transfers the whole system into a virtual machine that looks exactly like the real thing, so the rootkit can't be detected from inside the OS. Nothing is written to disk, so when the system is powered down, the rootkit vanishes into thin air. Servers are unlikely to be powered down often and even if they are, the cracker can simply attack again. With the rootkit undetected, it is likely that the exploited bug has not been corrected. Common wisdom was that this type of attack can be detected by looking at the contents of the RAM in a way which bypasses the OS. The rootkit has to be somewhere, right? Well, according to this article, there is a way to hide the real RAM contents from hardware assisted forensic methods.
If only it were so easy. A problem with adding environmental costs to energy prices is that we don't know what the costs are. CO2 emission certificate trading could be one way to find out, but for that to work, the world would have to agree not only to abide by one system, but also on the total amount of certificates and on an initial allotment. The latter is particularly problematic because per capita allotments would cripple the economy of the developed countries (high energy usage per capita) and per gross national product allotments would severely harm emerging nations (big industrial sector and lower technological standard). There would also have to be compensation for positive effects on CO2 circulation, like big forests. There are many problems with charging for CO2 emissions and we have yet to solve them, but we do have better alternatives for most uses of incandescent light bulbs. Making sure that the alternatives get used more often is a good idea. If an informative label on the packaging of a $0.20 60W bulb does the trick, I'm content with that:
"Using this bulb 5 hours each day for one year costs $8.76 worth of electricity."
I'm not suggesting that people have no reaction to CFL lighting, but I know that they don't see flicker. There are many possible reasons for disliking CFLs: Psychosomatic stress is just one. Another possibility is the not quite perfect color reproduction or a color temperature that they're not used to: light with a higher color temperature looks dimmer at the same actual brightness because we expect it to be brighter (like sunlight).
There is no simple answer to your first question. Unfortunately CFLs are easy to spot. The differences are usually inconsequential, but the light is not the same. So even sneaking in and replacing the bulbs without his knowledge likely wouldn't work. Neither would an agreed-upon test where someone exchanges the bulbs for him or not, so that he realizes that it's psychosomatic. Self-fulfilling prophecies are a bitch.
The second question is easier: I think banning incandescent bulbs is stupid. In my experience, CFLs outlast incandescent bulbs several times and they produce much more light compared to incandescents of the same wattage. Color reproduction is not perfect, but very good. Without knowing what to look for, I wouldn't spot the difference right away. When I switched, I opted for more lumens and still lower power consumption. I like CFLs and I have a hard time understanding why some people insist on incandescent lighting for normal living areas. I still think it's stupid to ban the space heaters: There is no point in replacing working dimmers and light fixtures. There are applications where CFLs don't save enough energy to justify their initial cost. There are applications where 95% color reproduction quality is just not good enough.
It's a travesty that we need to do this anyway: People who use incandescents without a compelling reason are paying a premium for their hesitation already, but they don't notice because the energy cost is decoupled from the investment and the lifetimes are too long and variable to grasp intuitively. A tax on watt/lumen, starting at 40W per thousand lumens, should fix that. If you don't like new taxes (who does?), there are other options: Guide by example and don't use incandescent bulbs in public buildings. Give each household a few high quality CFLs to try. Require that bulb manufacturers print the electricity cost of using the bulb for one year, 5 hours per day, on the packaging (undimmed, average electricity price and assuming the bulb lasts more than a year).
However, if they really wanted to conserve energy, they'd impose limits on power consumption of devices which are "off" or just waiting for a remote control or timer event.
most people here assume because they can't see something nobody can
That assumption is usually well-founded in reality. People who are "sensitive to radio waves" get sick a couple of weeks after a cell-tower is erected, even if it is never turned on. People can hear ultrasonic differences between two soundwaves, just not when they're in a double-blind test.
Fact is, our sensory equipment is relatively slow and where we can sense high frequencies, we do so by exploiting a physical or chemical transformation that turns them into a slow signal. What you call "high refresh rate" is orders of magnitude slower than the frequency of all but the cheapest CFLs. There are great differences in the cognitive abilities of different people, but due to the way human senses work, there are limits to these differences. You do not see 40kHz flicker (and not subconsciously either).
So what do you suggest? Should the providers charge YouTube for throwing the oversubscription model out of whack? You realize that very few of the popular sites would exist today if we had always had the kind of "toll road" networks that the anti-net-neutrality lobby wants, don't you? The primary difference between the Internet and the Compuserves and AOLs back then is that a content provider does not have to negotiate with all end user providers.
If the net needs to be upgraded, the user will pay for it either way. It's best that he knows where and how much he pays, instead of getting a cheap internet connection where he can only connect to the sites that bid the most for his eyeballs. We might reach a point where the net does indeed not have the capacity for some popular website, but then users will decide if it's really worth it to get a better connection (i.e. one with a lower oversubscription ratio) to get faster access or if they don't really need that. To make that decision, the user has to know the cost and not have it hidden from him by deals between his provider and a few well-funded sites, which then take the users money in a less obvious way.
The solution is to nix net-neutrality legislation and allow the consumer and the producer to come to terms on need versus price.
That's not what net neutrality is aiming to regulate. Net neutrality is about the structure of the business relationships, not the content as such. The current situation is that customers pay the providers to which they connect. Providers have peering agreements. Small providers pay bigger providers, providers of equal size have cost-neutral agreements. If a provider can't satisfy the bandwidth requirements of his customers or peering partners, he needs to invest in upgrades. He will then negotiate higher prices with customers and possibly reevaluate peering agreements. The business relationships are among people and businesses who connect their networks and servers directly. Network neutrality is about keeping that system.
The providers which are against network neutrality want to charge remote parties and throttle their packets as an "incentive" to pay up. That is a massive strike against the long tail of the internet as the intended and likely effect is that only big sites and service providers will even have enough manpower to negotiate with all relevant end-user providers, let alone be able to pay them, so the small providers will have to close up shop or consolidate.
Your provider could still offer you a cheaper plan based on your network "consumption". He just can't have it depend on the type of sites or on the specific sites you will be communicating with. And why should he? It is not whom you communicate with or on which port that kills his network, it's how much of the network capacity you use and when.
How about a port forward to your SMB ports? While he's changing your router configuration, he might as well add a DynDNS name for you, so that he can find your computer again even after you got a different dynamic IP address.
Or he could relay your ISP account credentials to an external webpage (normally cross site checks would prevent this, but the attacker would only have to create a hostname for the router ip address under the domain of the webpage.)
Change default passwords. If you can't find a shocking answer to "what could happen to me?" yourself, rest assured that someone else can.
There seems to be a misconception that the attack somehow involves WLAN access, probably because the headline describes it as a "drive-by" attack. That isn't meant literally though: Drive-by means that the user's network is hacked when the user visits a website, in passing. The attack works by having a webpage make the browser access the router's configuration interface. Since the configuration interface usually isn't accessible from the internet side of the router, the attacker needs an inside computer to reflect the requests. Since the configuration interface is a webpage, the natural reflector choice is the user's browser. The attacker just needs to create a popular webpage and include "remote" elements which access router interfaces with default login credentials.
This attack also applies to non-wireless routers and routers with properly secured or disabled wireless LANs. The critical flaw is to leave a default password on the configuration interface. The interface is not safe from external attacks just because it's firewalled on the external interface.
The immediate publication of changes is a big motivator, not just for spammers and pranksters. It adds a reward to the work that people are doing. Remove that and you lose many contributors, and without an abundance of contributors you lose the second motivation as well: Completeness. Nobody wants to work on something that continues to lack in breadth. In turn that means you need to provide other motivations, which usually means paying people for their work.
The file:-opening bug is universal, only the URLs that are used would have to be adapted to different operating systems (easy, just look at the user-agent string). Even if you can't guess or calculate the temporary filename, there may be other vulnerabilities which allow an attacker to place a custom file with a known pathname on the victim's computer, which can then be called from a webpage and relay every file that is readable by the webbrowser.
Yes, one can test the primary vulnerability quite easily and yes, it works in Firefox 2.0. The popup blocker allows users to retroactively open file: URLs which are called from webpages (http://...) even though Firefox normally blocks all such accesses. If you can place a file with a known pathname on the user's system, you can read every file. The PRN bug is only one way by which an attacker could place his helper file, the article mentions one more.
She got exactly what she was promised. One login during the grace period could have saved her account. Lycos removed the account because she didn't use it as agreed upon. She can whine and cry extortion all she wants, it's still her own fault, for not getting a real email account with her own domain, and for not using the free account as she agreed to do. She should learn from that, pay the upgrade/restore fee and be more responsible with her oh-so-important mail next time.
Slashdot Mirror
You don't have explicit permission to connect to this webserver. Disconnect now and don't make further connection attempts before you have explicit permission.
Making a laptop connect only to access points that are meant to be open requires installation of a mind-reading patch that is pretty hard to come by. On the other hand, closing your access point to strangers is 2 minutes work with a web interface.
Why is it that you want to make unsafe networking acceptable? You're making things worse for everybody: The people without a clue get their data stolen because, if it's illegal to connect to a default-open access point, why bother with encryption? And the people who know their tech can't automatically use public hotspots anymore. If you were really out to help the computer illiterate, you would strive to make selling access points illegal which pose as open access points by default. Instead you try to impede a valuable and legitimate application of wireless LAN technology: Automatic free internet access through public hotspots. So what is your motivation?
I can see how you might interpret that as a genuine disservice to the owner.
I don't like to have my arguments misrepresented and mutilated like that. If you argue that an open access point should be protected by law from being treated as a public access point, you remove an incentive for securing access points. That is the only incentive that users can easily understand because they too can use other open networks without a problem. There is no special knowledge required to do that, contrary to what they would need to know to use a wireless LAN sniffer, which would show them the other strong incentive to encrypt their wireless network. Lack of demand for encrypted networks will keep manufacturers in the market that sell default-open access points. BTW, users who leave their AP open by accident are also the users who are most likely to use their neighbors' open access points by accident (their computers are set to automatically connect to an unencrypted network with a default SSID). This can cause exactly the same problems as intentional freeloaders if the user is a filesharer or worse.
what would you say initiates the connection?
The AP. The user's computer is typically configured to react to incoming packets. The AP is actively sending packets all the time. A laptop mostly listens passively to conserve battery power. The only situation where the computer initiates the connection is when the AP doesn't broadcast the SSID. In that case the computer regularly (in much longer intervals than the SSID broadcasts) tries to connect to known SSIDs.
The way this is relevant is that it's a pretty wild frequency band. There are not only wireless LANs but also Bluetooth, microwave ovens, wireless TV transmitters and lots of other things in that band. If you respond to anything in that band, you better know what you're doing. The access point has as much to do to establish a connection as the client computer. Let's not forget that the standard has no other way of declaring an access point open but to leave encryption off, and there's a good reason for that too: If you don't encrypt the network, everyone in range can read everything on that network, which pretty much is the opposite of private, don't you think? If your wireless network is unencrypted by accident, you have much bigger problems than "unauthorized" internet users. Anyone who argues that open access points should not be treated as public access points is doing computer illiterates a tremendous disservice by encouraging unsafe wireless networking. That argument alone should end this discussion, but apparently people prefer to pay lawyers instead of paying a tiny fraction of the legal fees to avoid legal problems altogether by having computer technicians properly install hardware that the user doesn't understand or by buying hardware that comes with a secure preconfiguration.
w/ SSID broadcast turned off, then you should be allowed to sue for unauthorized access
No, you should not. Turning SSID broadcast off will not keep others from accidentally connecting to your AP if their own wireless network uses the same SSID. At the very least you would have to set a non-trivial (i.e. random) SSID and turn of SSID broadcasting to have a case against unauthorized access. I really don't understand why people are so adamantly avoiding encryption. The same people who go to court to defend their precious private bandwidth apparently don't care that their private data is broadcast to everybody in the neighborhood.
I do not see anywhere in your argument provisions for communicating back to the AP
It's a public frequency band. I am allowed to transmit whatever I want, within certain technical bounds. All devices in that band are required to be able to deal with such traffic, for example by ignoring it.
I was responding to an analogy, not making one myself. I think analogies are a stupid way of dealing with wireless LANs, because wireless LANs are like nothing people regularly deal with. They're closest to internet servers: they are reachable over a public medium and they're under the control of their owners but autonomous in their operative decisions. But then people don't usually have internet servers, especially not the kind of people who accidentally operate open access points, so that analogy would be mostly useless. Your analogy also leaves much room for improvement, because it ignores that extraordinarily dim-witted drivers who take instructions from anybody are not very common in the real world. If there were more of those and the number of limousines that are meant to be used by passers-by wasn't zero, then we might very well think that you're an idiot if you don't instruct the driver to only drive you and people who use your "service" are not at fault.
When people use analogies to explain things that are no more complicated than the analogy (and you know that "an unlocked door" is a legal minefield), then they usually do so to move the discussion to an emotional level. It's an attempt to transport an established gut feeling about what's right to a different case. I fully support analogies when they're used to get an initial understanding of a process, but in the end you have to know the thing for what it is, not for what it is like, before you can pass judgment.
The people who created the wireless LAN standard fortunately had more sense than the people who involve the courts in these issues. The engineers knew that no wireless LAN can be private unless it's encrypted, simply because the physical layer is a broadcast medium. So yes, there is such a banner: An open AP does not demand encryption. We joke about the "evil bit", but somehow in discussions about wireless networks, there are always people who really want something that is equally pointless.
It's like he just walked into their yard to use their garden hose
Unless he parked on their lawn, no, it's not like that.
If you wear a sticker that says "Hi, my name is John", then you can't complain if I talk to you and ask you to give me a ride. If you then answer "yes, get in the car", you can't complain if I do get in the car and tell you that I would like to go to the next McDonald's. If you then drive me there, you can't complain that I hitched a ride from you and didn't pay you. An open router is a very friendly piece of hardware. It tells people that it's there, it hands out IP addresses and it routes strangers' packets and all you have to do is ask for the favor.
There is a reasonable threshold for "saying no". If your AP/website is indistinguishable from an access point/website that is meant to be public, then you're not saying no in a reasonable way. That is the only way the internet and public hotspots can work. If your AP uses WEP-40bit encryption, you're not doing what's necessary to protect your data, but you are clearly saying no to users who did not get the key from you. Likewise, even simple HTTP authentication is sufficient for making a resource private.
It's no different than seeing an unlocked door.
Yes, it is very much different from seeing an unlocked door. That's why intelligent people don't resort to analogies to discuss simple concepts like communication over radiowaves. The established standard has means of negotiation that allow people to use a shared resource without prior agreements. Using the standard is vital to many interesting and legitimate uses of the shared resource. You're advocating a restriction on useful applications to give technological nitwits the illusion of safety, while in reality their baseless assumption of being protected only causes them to be more vulnerable because they see no need to secure their networks. There is not even one good reason for punishing the use of open access points by anyone.
The rootkits that are written to the disk aren't the biggest problem. Like you said, one can "simply" look at the drive from a clean system. The problem is with rootkits that are only installed in RAM, while the system is running. The attacker exploits some hole in an application or in the OS and then transfers the whole system into a virtual machine that looks exactly like the real thing, so the rootkit can't be detected from inside the OS. Nothing is written to disk, so when the system is powered down, the rootkit vanishes into thin air. Servers are unlikely to be powered down often and even if they are, the cracker can simply attack again. With the rootkit undetected, it is likely that the exploited bug has not been corrected. Common wisdom was that this type of attack can be detected by looking at the contents of the RAM in a way which bypasses the OS. The rootkit has to be somewhere, right? Well, according to this article, there is a way to hide the real RAM contents from hardware assisted forensic methods.
If only it were so easy. A problem with adding environmental costs to energy prices is that we don't know what the costs are. CO2 emission certificate trading could be one way to find out, but for that to work, the world would have to agree not only to abide by one system, but also on the total amount of certificates and on an initial allotment. The latter is particularly problematic because per capita allotments would cripple the economy of the developed countries (high energy usage per capita) and per gross national product allotments would severely harm emerging nations (big industrial sector and lower technological standard). There would also have to be compensation for positive effects on CO2 circulation, like big forests. There are many problems with charging for CO2 emissions and we have yet to solve them, but we do have better alternatives for most uses of incandescent light bulbs. Making sure that the alternatives get used more often is a good idea. If an informative label on the packaging of a $0.20 60W bulb does the trick, I'm content with that:
"Using this bulb 5 hours each day for one year costs $8.76 worth of electricity."
I'm not suggesting that people have no reaction to CFL lighting, but I know that they don't see flicker. There are many possible reasons for disliking CFLs: Psychosomatic stress is just one. Another possibility is the not quite perfect color reproduction or a color temperature that they're not used to: light with a higher color temperature looks dimmer at the same actual brightness because we expect it to be brighter (like sunlight).
There is no simple answer to your first question. Unfortunately CFLs are easy to spot. The differences are usually inconsequential, but the light is not the same. So even sneaking in and replacing the bulbs without his knowledge likely wouldn't work. Neither would an agreed-upon test where someone exchanges the bulbs for him or not, so that he realizes that it's psychosomatic. Self-fulfilling prophecies are a bitch.
The second question is easier: I think banning incandescent bulbs is stupid. In my experience, CFLs outlast incandescent bulbs several times and they produce much more light compared to incandescents of the same wattage. Color reproduction is not perfect, but very good. Without knowing what to look for, I wouldn't spot the difference right away. When I switched, I opted for more lumens and still lower power consumption. I like CFLs and I have a hard time understanding why some people insist on incandescent lighting for normal living areas. I still think it's stupid to ban the space heaters: There is no point in replacing working dimmers and light fixtures. There are applications where CFLs don't save enough energy to justify their initial cost. There are applications where 95% color reproduction quality is just not good enough.
It's a travesty that we need to do this anyway: People who use incandescents without a compelling reason are paying a premium for their hesitation already, but they don't notice because the energy cost is decoupled from the investment and the lifetimes are too long and variable to grasp intuitively. A tax on watt/lumen, starting at 40W per thousand lumens, should fix that. If you don't like new taxes (who does?), there are other options: Guide by example and don't use incandescent bulbs in public buildings. Give each household a few high quality CFLs to try. Require that bulb manufacturers print the electricity cost of using the bulb for one year, 5 hours per day, on the packaging (undimmed, average electricity price and assuming the bulb lasts more than a year).
However, if they really wanted to conserve energy, they'd impose limits on power consumption of devices which are "off" or just waiting for a remote control or timer event.
most people here assume because they can't see something nobody can
That assumption is usually well-founded in reality. People who are "sensitive to radio waves" get sick a couple of weeks after a cell-tower is erected, even if it is never turned on. People can hear ultrasonic differences between two soundwaves, just not when they're in a double-blind test.
Fact is, our sensory equipment is relatively slow and where we can sense high frequencies, we do so by exploiting a physical or chemical transformation that turns them into a slow signal. What you call "high refresh rate" is orders of magnitude slower than the frequency of all but the cheapest CFLs. There are great differences in the cognitive abilities of different people, but due to the way human senses work, there are limits to these differences. You do not see 40kHz flicker (and not subconsciously either).
So what do you suggest? Should the providers charge YouTube for throwing the oversubscription model out of whack? You realize that very few of the popular sites would exist today if we had always had the kind of "toll road" networks that the anti-net-neutrality lobby wants, don't you? The primary difference between the Internet and the Compuserves and AOLs back then is that a content provider does not have to negotiate with all end user providers.
If the net needs to be upgraded, the user will pay for it either way. It's best that he knows where and how much he pays, instead of getting a cheap internet connection where he can only connect to the sites that bid the most for his eyeballs. We might reach a point where the net does indeed not have the capacity for some popular website, but then users will decide if it's really worth it to get a better connection (i.e. one with a lower oversubscription ratio) to get faster access or if they don't really need that. To make that decision, the user has to know the cost and not have it hidden from him by deals between his provider and a few well-funded sites, which then take the users money in a less obvious way.
The solution is to nix net-neutrality legislation and allow the consumer and the producer to come to terms on need versus price.
That's not what net neutrality is aiming to regulate. Net neutrality is about the structure of the business relationships, not the content as such. The current situation is that customers pay the providers to which they connect. Providers have peering agreements. Small providers pay bigger providers, providers of equal size have cost-neutral agreements. If a provider can't satisfy the bandwidth requirements of his customers or peering partners, he needs to invest in upgrades. He will then negotiate higher prices with customers and possibly reevaluate peering agreements. The business relationships are among people and businesses who connect their networks and servers directly. Network neutrality is about keeping that system.
The providers which are against network neutrality want to charge remote parties and throttle their packets as an "incentive" to pay up. That is a massive strike against the long tail of the internet as the intended and likely effect is that only big sites and service providers will even have enough manpower to negotiate with all relevant end-user providers, let alone be able to pay them, so the small providers will have to close up shop or consolidate.
Your provider could still offer you a cheaper plan based on your network "consumption". He just can't have it depend on the type of sites or on the specific sites you will be communicating with. And why should he? It is not whom you communicate with or on which port that kills his network, it's how much of the network capacity you use and when.
The attacker could make other changes:
How about a port forward to your SMB ports? While he's changing your router configuration, he might as well add a DynDNS name for you, so that he can find your computer again even after you got a different dynamic IP address.
Or he could relay your ISP account credentials to an external webpage (normally cross site checks would prevent this, but the attacker would only have to create a hostname for the router ip address under the domain of the webpage.)
Change default passwords. If you can't find a shocking answer to "what could happen to me?" yourself, rest assured that someone else can.
There seems to be a misconception that the attack somehow involves WLAN access, probably because the headline describes it as a "drive-by" attack. That isn't meant literally though: Drive-by means that the user's network is hacked when the user visits a website, in passing. The attack works by having a webpage make the browser access the router's configuration interface. Since the configuration interface usually isn't accessible from the internet side of the router, the attacker needs an inside computer to reflect the requests. Since the configuration interface is a webpage, the natural reflector choice is the user's browser. The attacker just needs to create a popular webpage and include "remote" elements which access router interfaces with default login credentials.
This attack also applies to non-wireless routers and routers with properly secured or disabled wireless LANs. The critical flaw is to leave a default password on the configuration interface. The interface is not safe from external attacks just because it's firewalled on the external interface.
The immediate publication of changes is a big motivator, not just for spammers and pranksters. It adds a reward to the work that people are doing. Remove that and you lose many contributors, and without an abundance of contributors you lose the second motivation as well: Completeness. Nobody wants to work on something that continues to lack in breadth. In turn that means you need to provide other motivations, which usually means paying people for their work.
The file:-opening bug is universal, only the URLs that are used would have to be adapted to different operating systems (easy, just look at the user-agent string). Even if you can't guess or calculate the temporary filename, there may be other vulnerabilities which allow an attacker to place a custom file with a known pathname on the victim's computer, which can then be called from a webpage and relay every file that is readable by the webbrowser.
Yes, one can test the primary vulnerability quite easily and yes, it works in Firefox 2.0. The popup blocker allows users to retroactively open file: URLs which are called from webpages (http://...) even though Firefox normally blocks all such accesses. If you can place a file with a known pathname on the user's system, you can read every file. The PRN bug is only one way by which an attacker could place his helper file, the article mentions one more.
She got exactly what she was promised. One login during the grace period could have saved her account. Lycos removed the account because she didn't use it as agreed upon. She can whine and cry extortion all she wants, it's still her own fault, for not getting a real email account with her own domain, and for not using the free account as she agreed to do. She should learn from that, pay the upgrade/restore fee and be more responsible with her oh-so-important mail next time.