(but a requirement is that users are not scared with warnings about part of the content being unencrypted).
Those warnings are there for a reason.
Sure, just don't expect the end users to understand what it's saying. From what I've seen in usability tests a vast majority of end users don't even read what the warning is, they just close the browser or start to feel intimidated. From a business (just starting to turn a profit) perspective that could be the difference between making profit or losing money (not even getting into the whole user experience thing).
How is an end user notified when their session data is sent over an unencrypted connection? Browser makers use an icon to display if the connection is encrypted or not, that icon could easily also display a broken lock when it's partially encrypted. The current model is very black and white, and from my experience it actually makes little sence to the end user who's closest experience with encryption is watching CTU try to decrypt a terrorists hard drive. You could try with a non computer literate relative some time. Have them browse the web and ask them to tell you when they are on an encrypted page, my guess is that most of them won't even understand what you are asking. The only thing they will understand is that suddenly they get a scary warning.
I'm not saying the current model is necessarily wrong, just that it is definitely reducing adoption of using HTTPS for session encryption on sites that are image heavy and relying on the users browser to cache image content and as such reducing security rather then increasing it.
Also, HTTPS does not play well with proxy caches or load balancing.
This is the main reason we have not been implementing it. Our environment relies heavily on caching and loadbalancing. We are trying to find ways around it though, especially to get all session-data to use HTTPS (but a requirement is that users are not scared with warnings about part of the content being unencrypted).
Yeah, the Windows machine specs out nicer, but that doesn't mean much outside of test-bed environments, looking at performance from a clean install on a pristine new computer.
You cannot buy a pristine new windows laptop at this time. Only offered by Apple. Everything else is stuffed with bloatware by the manufacturer.
Yeah, I got my HTPC with Windows 7 and left it on the side while installing Linux as the primary OS. Windows was amazingly slow to boot and sluggish to use untill somebody here posted a link to the pc decrapifyier: http://www.pcdecrapifier.com/
Now Windows boots up about as fast as the minimal Ubuntu server / XBMC set up and works surprisingly well given the hardware (1.6ghz Atom). I still don't consider it a pleasure to use, but compared to the state it was when the machine was sold to me it's like buying a 2 generations newer computer.
Sadly, a lot of different factors combined to destroy the only multi-cultural democracy in the Middle East: Lebanon.
Haven't those factors been at play for quite some time now? Of course the current state can be traced down to the last 40 years, but I've understood Lebanon has been attacked countless times due to it's geographical location and water supplies in the last few thousand years.
Re:Microsoft's previous strategic mobile partners
on
Why Nokia Is Toast
·
· Score: 1
Actually thinking a bit further, maybe it's not just showing who has a crappy browser, but also who has slow / expensive data plans for their mobile phones. When I still had a Nokia one reason why I used Opera was that the amount of data transfered could be 90% less then with the built in browser, and that would be the same for any phone (data is transfered through a proxy which compresses it).
Re:Microsoft's previous strategic mobile partners
on
Why Nokia Is Toast
·
· Score: 1
Part 3 of this report focuses on the EU; not exactly poor countries / Nokia still has the largest slice of the market (I wonder how it would look if iPhone models were listed separately... many Nokia handsets are also very similar)
Or how it would look if iPhone users actually used Opera as a browser... I tried it and can't really figure out who the target audience for Opera mini on IOS is. Remember that is focusing on Opera mini usage so of course the phones listed highly will show who has a crappy browser, not who has the largest market penetration.
Re:In that case, MS has failed beyond belief
on
Why Nokia Is Toast
·
· Score: 1
Nokia could have done other things: (1)Push Meego. (2)Push Symbian. (3)Adopt Android. (4)Develop their own OS.
(1) Tried, it's not ready enough yet.
Why not? With the amount of money they are pushing to R&D my conclusion is that there is something wrong with the way they are trying to do it? Or then that money is going to the wrong places and moving to Windows will not save them (unless the purpose was to roll over and die).
I suspect that the one really pissed is Microsoft.
The vendor, at least, gets paid, and all their competitors are doing the same thing; but Microsoft doesn't see the cash, and the bloatware makes them look pathetic next to OSX, even in areas where they don't deserve it.
Slave for months getting Windows N+1 to boot really fast? Hahah, suckers, HP just signed a deal with 3 AV companies at once... Kiss your positive consumer perception goodbye.
That's what I was thinking too. Microsoft could demand that the machine would be sent to the consumer with just the OS and a separate media for installing software, but they don't seem to mind that much. Above all this lowers my perception of Windows, Microsoft is allowing the user experience to be terrible.
I got an Asus computer which came with quite a lot of bloatware and no Windows media. I didn't know (posted above) that I can download the media from Microsoft directly, and have tested a few Windows torrents (per Asus recommendation) to be able to install on a larger disk in a traditional manner but none of them accepted the key. Once again above all this tarnishes my image of Microsoft more then anything else, with OSX or Linux this would never be an issue.
Maybe you should just try to go and see a really good DJ some time. When dj's are really good individual songs completely lose their meaning and you are really led from one place to another for what could be hours. Though to be honest 99% of DJ's are not that good.
My biggest issue is, penetration is so high already, how much bigger can it grow?
I've been wondering about that too, but just had a look at their timeline and other stats and it seems they are getting over 25 million new active users a month, and it does not look like there is a huge it's slowing down very badly (500 million is the amount of active users, and half of those active users logged in during the last 24 hours).
Of course it's impossible to target an ad as precisely through Vogue as is it through a service with as detailed information on the user... I'm not saying you are incorrect, but it seems to me that most ads I see in Facebook (in Finland) are pure scams leading me to believe companies on both have a lot to learn. I've never seen an ad in Facebook that would come from a company I've heard of.
What I mean is there is some middle ground between Calvin Klein advertising next to a puke picture and somebody claiming I win an ipad because I'm the 1000000'th viewer of a banner. Maybe that could be a service offering horse rides in a small town buying ads to be displayed to 12-15 year old single girls liking horses in the vicinity. I think everybody has a lot to learn still, and Facebook could be making a lot more then they are for the ads ('cause looking at the quality of the ads now they could not be worse).
There was an interesting piece on MIT's Technology Review site about how Facebook is doing something that VeriSign, Microsoft, Yahoo, and Google have all tried and mostly fail at, which is providing a single id and single log in for the internet.
Only how easy is it to steal facebook ids if you host a site yourself and use them for authentication? I guess most people aiming at creating a single sign in solution have understood it needs to be two factor to be worth anything on the long run, and that has been far too complicated for most people. Of course this does not mean Facebook could not improve the log on service further, they probably have a better chance then anyone before them (first get the users and then create the service in a way that it would be used)...
Reading the article I did not see any comparison between the frequency of attacks against human rights groups and other politically active or high profile services. My employer has been hit by countless DOS attacks during the last year, and it's not a freedom of speech thing (actually I don't know what the motivation was most of the time). I do believe there will be a greater likelihood of having some human rights sites taken down in a ddos as they won't have a very advanced infrastructure behind the site, but are they actually attacked more then commercial sites?
Isn't the internet just a large collection of computers connected together via a smaller (though still large) collection of computers that control things like DNS tables (OK, a bit of a simplification). But what would stop some determined criminals from creating their own "internet 2", say, and using that, totally un-policed? Surely there is a way round any law for determined criminals?
Criminals try to get around all laws, and law makers try to prevent that. In a way it's not really the issue here, and neither is the law (the things they are trying to prevent are already illegal so adding filtering does not change anything in that respect).
The problem is, that the methods used for this filtering is generally DNS filtering which is of course very trivial to bypass. This means that anyone actually wanting to break the law can do it just as easily as before (because changing your dns host is far easier then finding kiddie porn). Also methods to get around the filters are not illegal, you can use open-dns or other dns providers if you want to and they don't generally have to abide to any single countries laws (apart from where they are hosted from).
Any way you look at these, they just can't really be anything else then somebody trying to make an impression that they are making a difference when they really are not (not the difference they claim anyway). Maybe you could consider it as buying votes with public money.
In Finland they made a kiddie porn filter. It's pretty funny, there is hardly any oversight, no formal investigation by the police regarding sites that get filtered, and thus no process for removal of sites that are falsely flagged. Originally the law covered only sites that are abroad (I guess the idea was that local ones would be handled traditionally by the police), but that did not stop them adding the most vocal critic of the system to the list of filtered sites.
And of course best of all, it's a dns based filter so it's very trivial for anybody to bypass even if they are not technologically advanced.
I'd like to hear a success story from somewhere in the world regarding these filterings, but till now it seems governments participating on these are competing on who has the biggest failure, yet still considering them to be a success. The biggest winners are probably the companies designing the systems, and I would not be in the least bit surprised if the same companies act as advisors when analyzing if it would be worth while before starting.
Probably Slashdot stories about Amazon denying hosting to Wikileaks harmed more the company than the combined Anonymous attack. There is no firewall against social attacks.
Except most people probably agree with Amazon's decision. It probably helped them. Surely you have noticed that Slashdot is not very representative of what we might call the "general population," falling somewhere to the left of where most people are, at least in the United States, Amazon's largest market.
Are you serious? Would you want to take your business somewhere who will kick you out the first time you are under a DDOS attack (like the attack would not give you enough gray hair as is). Isn't that still the official reason why they where kicked out?
Now my employers services get hit by DDOS attacks occasionally. Sometimes there is also too much traffic bringing our services down. The provider happily sells us a distributed DDOS shield service as they make money out of it, and they might even null route our networks if traffic is too much for the shield, but they never mention kicking us out.
Damn this is just dumb, I feel bad for even giving it attention by posting here.
Honestly, I think this was a great move from them. They've been building up quite a bad imagine now that all (even small) news outlets are talking about their attacks. Maybe this will help put them into perspective. I think it's very close that most law enforcement agencies pick these guys up as easy cases against DDOS attack makers, having the public view change from criminals to mischievous youth with a sense of humor can make quite a difference.
In most cases I've found distributed DOS shields can't really scale over 10gbit/s, and even then they have to be manually started after noticing the attack vs. "heading off the attacks before they begin".
Maybe I'm old fashioned, but I thought you had to actually be convicted to be a criminal - not just accused.
Have wikileaks been officially accused of anything? And no, I'm not talking about some politician saying they should be executed, rather official charges pressed.
How do you suggest he would have done that? As far as I'm following I understood the charges where dropped while he was in the country, and refiled when he left.
I also understood he went to give himself up to the police voluntarily now, which is the closest I can imagine to dealing with them.
There have been no charges for rape in Sweden as far as I'm aware, but still that's what all newspapers are touting. I guess it's possible that they used that for the interpol request as it was the closest available option though...
if someone is savy enough to write (or even use) such a piece of code, why DOS attacks? Unless, of course that someone works for a government agency and wants to limit...say something like the wikileaks server. I mean if they are that smart, why not hack into, say, a couple million on line bank accounts and just draw out $.25 per month of each one. That'd net you a cool 6 mil smackers per year.
I mean what's the point?
I think generally the point is to make money. If they have customers prepared to pay for the attacks, then it's worth it for them. Looking at articles regarding the botnet it seems they will make about 50$ for 24h of attacks. From their price list I would guess that's for about 30 attacking hosts... I don't think the people behind the attacks really care why somebody is paying them to do it.
Slashdot Mirror
(but a requirement is that users are not scared with warnings about part of the content being unencrypted).
Those warnings are there for a reason.
Sure, just don't expect the end users to understand what it's saying. From what I've seen in usability tests a vast majority of end users don't even read what the warning is, they just close the browser or start to feel intimidated. From a business (just starting to turn a profit) perspective that could be the difference between making profit or losing money (not even getting into the whole user experience thing).
How is an end user notified when their session data is sent over an unencrypted connection? Browser makers use an icon to display if the connection is encrypted or not, that icon could easily also display a broken lock when it's partially encrypted. The current model is very black and white, and from my experience it actually makes little sence to the end user who's closest experience with encryption is watching CTU try to decrypt a terrorists hard drive. You could try with a non computer literate relative some time. Have them browse the web and ask them to tell you when they are on an encrypted page, my guess is that most of them won't even understand what you are asking. The only thing they will understand is that suddenly they get a scary warning.
I'm not saying the current model is necessarily wrong, just that it is definitely reducing adoption of using HTTPS for session encryption on sites that are image heavy and relying on the users browser to cache image content and as such reducing security rather then increasing it.
Which is why you put the HTTPS work on the load balancer/proxy, and do all internal communication between the proxy and servers via HTTP.
Doesn't work well if you also want client browsers to cache...
Also, HTTPS does not play well with proxy caches or load balancing.
This is the main reason we have not been implementing it. Our environment relies heavily on caching and loadbalancing. We are trying to find ways around it though, especially to get all session-data to use HTTPS (but a requirement is that users are not scared with warnings about part of the content being unencrypted).
Yeah, the Windows machine specs out nicer, but that doesn't mean much outside of test-bed environments, looking at performance from a clean install on a pristine new computer.
You cannot buy a pristine new windows laptop at this time. Only offered by Apple. Everything else is stuffed with bloatware by the manufacturer.
Yeah, I got my HTPC with Windows 7 and left it on the side while installing Linux as the primary OS. Windows was amazingly slow to boot and sluggish to use untill somebody here posted a link to the pc decrapifyier: http://www.pcdecrapifier.com/
Now Windows boots up about as fast as the minimal Ubuntu server / XBMC set up and works surprisingly well given the hardware (1.6ghz Atom). I still don't consider it a pleasure to use, but compared to the state it was when the machine was sold to me it's like buying a 2 generations newer computer.
Sadly, a lot of different factors combined to destroy the only multi-cultural democracy in the Middle East: Lebanon.
Haven't those factors been at play for quite some time now? Of course the current state can be traced down to the last 40 years, but I've understood Lebanon has been attacked countless times due to it's geographical location and water supplies in the last few thousand years.
Actually thinking a bit further, maybe it's not just showing who has a crappy browser, but also who has slow / expensive data plans for their mobile phones. When I still had a Nokia one reason why I used Opera was that the amount of data transfered could be 90% less then with the built in browser, and that would be the same for any phone (data is transfered through a proxy which compresses it).
Part 3 of this report focuses on the EU; not exactly poor countries / Nokia still has the largest slice of the market (I wonder how it would look if iPhone models were listed separately... many Nokia handsets are also very similar)
Or how it would look if iPhone users actually used Opera as a browser... I tried it and can't really figure out who the target audience for Opera mini on IOS is. Remember that is focusing on Opera mini usage so of course the phones listed highly will show who has a crappy browser, not who has the largest market penetration.
Nokia could have done other things: (1)Push Meego. (2)Push Symbian. (3)Adopt Android. (4)Develop their own OS.
(1) Tried, it's not ready enough yet.
Why not? With the amount of money they are pushing to R&D my conclusion is that there is something wrong with the way they are trying to do it? Or then that money is going to the wrong places and moving to Windows will not save them (unless the purpose was to roll over and die).
I suspect that the one really pissed is Microsoft. The vendor, at least, gets paid, and all their competitors are doing the same thing; but Microsoft doesn't see the cash, and the bloatware makes them look pathetic next to OSX, even in areas where they don't deserve it. Slave for months getting Windows N+1 to boot really fast? Hahah, suckers, HP just signed a deal with 3 AV companies at once... Kiss your positive consumer perception goodbye.
That's what I was thinking too. Microsoft could demand that the machine would be sent to the consumer with just the OS and a separate media for installing software, but they don't seem to mind that much. Above all this lowers my perception of Windows, Microsoft is allowing the user experience to be terrible.
I got an Asus computer which came with quite a lot of bloatware and no Windows media. I didn't know (posted above) that I can download the media from Microsoft directly, and have tested a few Windows torrents (per Asus recommendation) to be able to install on a larger disk in a traditional manner but none of them accepted the key. Once again above all this tarnishes my image of Microsoft more then anything else, with OSX or Linux this would never be an issue.
Maybe you should just try to go and see a really good DJ some time. When dj's are really good individual songs completely lose their meaning and you are really led from one place to another for what could be hours. Though to be honest 99% of DJ's are not that good.
My biggest issue is, penetration is so high already, how much bigger can it grow?
I've been wondering about that too, but just had a look at their timeline and other stats and it seems they are getting over 25 million new active users a month, and it does not look like there is a huge it's slowing down very badly (500 million is the amount of active users, and half of those active users logged in during the last 24 hours).
http://www.facebook.com/press/info.php?timeline
http://www.facebook.com/press/info.php?statistics
Sure that number can't go on forever, but considering we are talking about the whole world, it's very hard to say how long that will go on for.
Of course it's impossible to target an ad as precisely through Vogue as is it through a service with as detailed information on the user... I'm not saying you are incorrect, but it seems to me that most ads I see in Facebook (in Finland) are pure scams leading me to believe companies on both have a lot to learn. I've never seen an ad in Facebook that would come from a company I've heard of.
What I mean is there is some middle ground between Calvin Klein advertising next to a puke picture and somebody claiming I win an ipad because I'm the 1000000'th viewer of a banner. Maybe that could be a service offering horse rides in a small town buying ads to be displayed to 12-15 year old single girls liking horses in the vicinity. I think everybody has a lot to learn still, and Facebook could be making a lot more then they are for the ads ('cause looking at the quality of the ads now they could not be worse).
There was an interesting piece on MIT's Technology Review site about how Facebook is doing something that VeriSign, Microsoft, Yahoo, and Google have all tried and mostly fail at, which is providing a single id and single log in for the internet.
Only how easy is it to steal facebook ids if you host a site yourself and use them for authentication? I guess most people aiming at creating a single sign in solution have understood it needs to be two factor to be worth anything on the long run, and that has been far too complicated for most people. Of course this does not mean Facebook could not improve the log on service further, they probably have a better chance then anyone before them (first get the users and then create the service in a way that it would be used)...
Reading the article I did not see any comparison between the frequency of attacks against human rights groups and other politically active or high profile services. My employer has been hit by countless DOS attacks during the last year, and it's not a freedom of speech thing (actually I don't know what the motivation was most of the time). I do believe there will be a greater likelihood of having some human rights sites taken down in a ddos as they won't have a very advanced infrastructure behind the site, but are they actually attacked more then commercial sites?
Given the burden of the many ad-ons I run, I'm not sure which is fucking up, the browser or the add-ons.
One nice thing about running 8GB RAM on a 32-bit system with PAE enabled is that when FF gobbles memory it maxes out at 4GB!
I'll keep it for the add-ons. RAM is cheap.
I've been trying to think of an excuse to get permission to upgrade my work laptop from 4 to 8GB. You gave me a great argument, thanks.
Isn't the internet just a large collection of computers connected together via a smaller (though still large) collection of computers that control things like DNS tables (OK, a bit of a simplification). But what would stop some determined criminals from creating their own "internet 2", say, and using that, totally un-policed? Surely there is a way round any law for determined criminals?
Criminals try to get around all laws, and law makers try to prevent that. In a way it's not really the issue here, and neither is the law (the things they are trying to prevent are already illegal so adding filtering does not change anything in that respect).
The problem is, that the methods used for this filtering is generally DNS filtering which is of course very trivial to bypass. This means that anyone actually wanting to break the law can do it just as easily as before (because changing your dns host is far easier then finding kiddie porn). Also methods to get around the filters are not illegal, you can use open-dns or other dns providers if you want to and they don't generally have to abide to any single countries laws (apart from where they are hosted from).
Any way you look at these, they just can't really be anything else then somebody trying to make an impression that they are making a difference when they really are not (not the difference they claim anyway). Maybe you could consider it as buying votes with public money.
In Finland they made a kiddie porn filter. It's pretty funny, there is hardly any oversight, no formal investigation by the police regarding sites that get filtered, and thus no process for removal of sites that are falsely flagged. Originally the law covered only sites that are abroad (I guess the idea was that local ones would be handled traditionally by the police), but that did not stop them adding the most vocal critic of the system to the list of filtered sites.
And of course best of all, it's a dns based filter so it's very trivial for anybody to bypass even if they are not technologically advanced.
I'd like to hear a success story from somewhere in the world regarding these filterings, but till now it seems governments participating on these are competing on who has the biggest failure, yet still considering them to be a success. The biggest winners are probably the companies designing the systems, and I would not be in the least bit surprised if the same companies act as advisors when analyzing if it would be worth while before starting.
And to beat it all, no-one even knows who was actually responsible for this. Oh yes, the future of modern warfare and sabotage is most certainly here.
A perfect future for state sponsored terrorism.
Probably Slashdot stories about Amazon denying hosting to Wikileaks harmed more the company than the combined Anonymous attack. There is no firewall against social attacks.
Except most people probably agree with Amazon's decision. It probably helped them. Surely you have noticed that Slashdot is not very representative of what we might call the "general population," falling somewhere to the left of where most people are, at least in the United States, Amazon's largest market.
Are you serious? Would you want to take your business somewhere who will kick you out the first time you are under a DDOS attack (like the attack would not give you enough gray hair as is). Isn't that still the official reason why they where kicked out?
Now my employers services get hit by DDOS attacks occasionally. Sometimes there is also too much traffic bringing our services down. The provider happily sells us a distributed DDOS shield service as they make money out of it, and they might even null route our networks if traffic is too much for the shield, but they never mention kicking us out.
Damn this is just dumb, I feel bad for even giving it attention by posting here.
Honestly, I think this was a great move from them. They've been building up quite a bad imagine now that all (even small) news outlets are talking about their attacks. Maybe this will help put them into perspective. I think it's very close that most law enforcement agencies pick these guys up as easy cases against DDOS attack makers, having the public view change from criminals to mischievous youth with a sense of humor can make quite a difference.
In most cases I've found distributed DOS shields can't really scale over 10gbit/s, and even then they have to be manually started after noticing the attack vs. "heading off the attacks before they begin".
Maybe I'm old fashioned, but I thought you had to actually be convicted to be a criminal - not just accused.
Have wikileaks been officially accused of anything? And no, I'm not talking about some politician saying they should be executed, rather official charges pressed.
How do you suggest he would have done that? As far as I'm following I understood the charges where dropped while he was in the country, and refiled when he left.
I also understood he went to give himself up to the police voluntarily now, which is the closest I can imagine to dealing with them.
Or maybe I misunderstood your comment?
There have been no charges for rape in Sweden as far as I'm aware, but still that's what all newspapers are touting. I guess it's possible that they used that for the interpol request as it was the closest available option though...
if someone is savy enough to write (or even use) such a piece of code, why DOS attacks? Unless, of course that someone works for a government agency and wants to limit...say something like the wikileaks server. I mean if they are that smart, why not hack into, say, a couple million on line bank accounts and just draw out $.25 per month of each one. That'd net you a cool 6 mil smackers per year. I mean what's the point?
I think generally the point is to make money. If they have customers prepared to pay for the attacks, then it's worth it for them. Looking at articles regarding the botnet it seems they will make about 50$ for 24h of attacks. From their price list I would guess that's for about 30 attacking hosts... I don't think the people behind the attacks really care why somebody is paying them to do it.