Unfortunately Thunderbird hasn't done those tricks with indexes. So every few weeks I need to delete the.MSF file it creates for each folder to be able to open the folder.
And the point remains that Thunderbird mail storage is monolithic.
WTF? Thunderbird uses a non-standard extension of mbox mail format, which is one monolithic file per folder. That simply doesn't scale for multiple GBs of email per folder.
Source of popcon can be examined - and for those unwilling/unable to do so, popcon is documented in much more detail than Microsoft's telemetry business. The ability to view decrypted communication before it is sent to mothership adds to the credibility of popcon.
Not to mention popcon can be very easily disabled.
That is irrelevant. My point is that having seen an event, or knowing the victims does not entitle someone to a better opinion on these matters. Only statistics and analysis with a cool head can. Your sensationalism is not helping.
It is well known that when estimating the frequency of certain kinds of events, humans actually estimate the ease of recall of this kinds of events and not the actual frequency of them. So while it is true that witnessing these events changes one's perception, that is the incorrect perception.
The correct perception can only be guaged from statistics, not through an appeal to emotions which are known to lower the accuracy of perception. So, where is the argument devoid of emotion?
OK, some valid criticism there, some not. Tree style tabs?
1. You tube downloader means any flash/mp4 video downloader. There is no dedicated website for all of them.
2. For a few years, Firefox has been asking me to kill misbehaving scripts. Do you have an example of a Firefox crashing script?
3. I've been using 64 bit Firefox for 5 years on Fedora Linux. It's been available before that, but I was on 32 bit Fedora.
4. With vimperator, I've not needed any icons in the top right for 7 years. Chrome's vim emulation was very poor last year when I checked.
5. I don't see any Pocket - probably because of vimperator. I enabled the URL bar, right click, customize, drag "Pocket" away, and it vanishes.
6. I have blank as my start page, the settings icon on its top right allows you that option - "show blank page". Latest Firefox from Fedora as of right now - 42.02
When Firefox started driving users who care about privacy towards Chrome
How so? While Firefox keeps breaking the add-ons now, with a little effort you can maintain real adblock, requestpolicy, noscript, cookieculler, httpsfinder, betterprivacy, youtube video downloader etc. Chrome doesn't have a decent replacement for most of these, last I checked.
The other features Firefox (with add-ons) still has - mouse gestures that work on preferences tab too, tree-style tabs which chrome has refused to ever support using any add-on etc. There is still no match for Firefox in features.
It is not worth making a certificate that protects against impersonation of a domain owner using the same domain unless it is also worth paying for a certificate that protects against impersonation of a business using a different domain
Depends on the ease of attack. One way I see for same domain impersonation is by compromising the user's DNS. Are there others? DNS compromise is somewhat involved but not extremely difficult, not very common in my experience with novice users, nor in the news I read. But you are right, in that this attack vector definitely cannot be ignored, so it is worth making a certificate to protect against the same domain attack.
So does it boil down to Let's Encrypt being a protection against DNS compromises?
"A site doesn't need MITM protection unless it also needs phishing protection."
Everyone "needs" all kinds of protection, but different people pay for different ones. MITM is used in a way of phishing, so you cannot protect against phishing unless you also protect from MITM . But if certificates are a dime a dozen, you've not really protected from MITM phishing as well as impersonation phishing. You're only achieving the encryption in transit, and preventing the scary message most browsers show when using self generated.
So Mozilla as a partner of this project could help much more by simply allowing a user preference for not showing scary message for self generated certificate, rather than this round about way of generating certificates every 90 days.
It's like printing money and distributing among the poor - appears noble , but brings down the very value of money. Certificates are not very unlike money here, are they?
This counts as passive sniffing and occasionally MITM.
MITM is too much work for dragnet. But yeah, passive sniffing.
On Pin Eight, which uses a domain-validated certificate, Firefox shows me only a green lock. On Chase, which uses an organization-validated certificate with EV extensions, Firefox shows me a green lock plus "JPMorgan Chase & Co." in green.
You're right, I notice that now. But distinction is not big enough for the people who will get scammed by the phishing. And I remember emails from my bank a few years ago about looking for the padlock icon - this distinction wasn't made there.
So it remains a bad idea - insufficiently validated websites getting that padlock, getting more people to be phished. All due to conflating encryption and sender validation.
Thank you for explaining. Consider three different attacks on an HTTP session: passive sniffing, active proxying by a man in the middle, and typosquatting
There is a fourth one - phishing. You might call it a variant of typo-squatting, but actually it is not. Your attempt to call it social engineering will also be met with a "Nah".
You get an email about updating your ING bank contact details urgently, and get a link to click on directly. But it is ingatyourservice.com - page content look and feel copied from ING's net banking website. User doesn't notice that this is not real ING, ignores the few mistakes in copying the phishers made, and enters everything the website asks.
There is a fifth attack vector - though none of the business of website owners or visitors. But EFF has made it their business to complain about it. It is the dragnet surveillance by TLAs. HTTPS prevents that too. "Let's Encrypt" sounds like an attack on that attack.
The two tiers of CA-signed certificate have distinct purposes.
You know more than me about the certificate business. But both - banks' padlock icon and Joe Sixpack's website's padlock icon look the same to me.
But you make it sound like there's no place for encryption in transit without stronger sender identification
I am saying the opposite, no idea why you interpret it this way. It is very easy to encrypt in transit - just generate your certificate and encrypt away. Even the name of the project - Let's Encrypt - "makes it sound like" encryption in transit is the big deal, not the sender identification.
Repeat after me - encryption DOES NOT NEED identification.
Further, you make it sound like there ought to be an entry barrier to sender identification
How do you identify something without creating a barrier for it?
Do I understand you correctly so far?
50%.
Should individuals have the right to send, outside the course of a business?
Send away, no problem.Want to send encrypted? Generate a certificate and send away, no problem there either. Want someone to vouch for you that you are the sender you pretend to be? Ouch, that will be $x - not because it is a prerogative of the rich, but we need to do the following verifications which cost $x.
1. Identity, address verification of applicant. Something to catch him if he goes rogue. 2. Domain access - as you say letsencrypt already does. 3. Does it represent a physical business? Or virtual business outside of this domain? Or appear to do so to a non-paranoid human being? Get approval from the business owner.
Remember banks are relying on the "HTTPS" lock icon and instructing their users to look for it and consider themselves "safe" if it exists. ING bank shouldn't have to buy ing.com, ing.org, mying.com, ingbank.com, myingbank.com just because domain ownership is the be all and end all of "identification" on the internet.
Because it's a bad idea? Two independent purposes are served by HTTPS - encryption in transit, and sender identification. Self generated certificate is enough to do the encryption in transit business.
For sender identification, it makes no sense to do it automatically and/or cheaply. It should be even more expensive, and come with lots of verifications. By doing it "automatically", we defeat the whole purpose of sender identification.
Browsers (including a partner in this project- Mozilla) are too stupid to not irritate users worth scary dialog if only one of the purposes of HTTPS are being served - but that doesn't mean we adopt stupid solutions.
If you can point out some whole country where people get shot but mostly don't bleed and die, I would accept that distinction. I pointed out Canada where schools don't have this recurrent problem in spite of being gun free.
You will note that those gun free zones were within larger areas with easy availability of guns, and insufficient protection between the gun free and non gun free zones.
E.g. schools in Canada don't get so many gun shootings even though they are gun free. I.e. because Canada as a whole doesn't have easy availability of guns and protection between the US and Canada is strong. But they would if the only protection Canada had from American guns was a signboard with "gun free zone" printed on it with many exclamation signs.
So being gun free is not what encourages shootings- it is the porous border between gun free and non gun free zones.
This is a tautology, You fail whatever they are calling discrete math for computer science these days.
No. It is saying that in addition to the said "branch of science and technology", and the said "action", the "work" done by such practitioners of science and technology and the "work" done by such actors is also called engineering. It is not a tautology.
If the third definition was not included, the answer to the question "what does he do for a living?" could never be "engineering", because work is not included. But by virtue of the third definition, the answer can be "engineering".
Protocol doesn't matter, but the functionality does. I do "ssh -X emacsclient" to my Emacs daemon running "server", and get the Emacs window locally. With this window, I can maximize, tile, resize, raise etc using my local window manager.
How do you do it without X? Xpra gives me artifacts and 100% CPU usage for apparently no reason.
Slashdot Mirror
Unfortunately Thunderbird hasn't done those tricks with indexes. So every few weeks I need to delete the .MSF file it creates for each folder to be able to open the folder.
And the point remains that Thunderbird mail storage is monolithic.
WTF? Thunderbird uses a non-standard extension of mbox mail format, which is one monolithic file per folder. That simply doesn't scale for multiple GBs of email per folder.
Your email for phone need not be the same. In fact it can be a completely dedicated account for phone.
Source of popcon can be examined - and for those unwilling/unable to do so, popcon is documented in much more detail than Microsoft's telemetry business. The ability to view decrypted communication before it is sent to mothership adds to the credibility of popcon.
Not to mention popcon can be very easily disabled.
That is irrelevant. My point is that having seen an event, or knowing the victims does not entitle someone to a better opinion on these matters. Only statistics and analysis with a cool head can. Your sensationalism is not helping.
When the cost of some ways of catching the culprit is privacy of everyone, frequency becomes very important.
It is well known that when estimating the frequency of certain kinds of events, humans actually estimate the ease of recall of this kinds of events and not the actual frequency of them. So while it is true that witnessing these events changes one's perception, that is the incorrect perception.
The correct perception can only be guaged from statistics, not through an appeal to emotions which are known to lower the accuracy of perception. So, where is the argument devoid of emotion?
OK, some valid criticism there, some not. Tree style tabs?
1. You tube downloader means any flash/mp4 video downloader. There is no dedicated website for all of them.
2. For a few years, Firefox has been asking me to kill misbehaving scripts. Do you have an example of a Firefox crashing script?
3. I've been using 64 bit Firefox for 5 years on Fedora Linux. It's been available before that, but I was on 32 bit Fedora.
4. With vimperator, I've not needed any icons in the top right for 7 years. Chrome's vim emulation was very poor last year when I checked.
5. I don't see any Pocket - probably because of vimperator. I enabled the URL bar, right click, customize, drag "Pocket" away, and it vanishes.
6. I have blank as my start page, the settings icon on its top right allows you that option - "show blank page". Latest Firefox from Fedora as of right now - 42.02
When Firefox started driving users who care about privacy towards Chrome
How so? While Firefox keeps breaking the add-ons now, with a little effort you can maintain real adblock, requestpolicy, noscript, cookieculler, httpsfinder, betterprivacy, youtube video downloader etc. Chrome doesn't have a decent replacement for most of these, last I checked.
The other features Firefox (with add-ons) still has - mouse gestures that work on preferences tab too, tree-style tabs which chrome has refused to ever support using any add-on etc. There is still no match for Firefox in features.
It is not worth making a certificate that protects against impersonation of a domain owner using the same domain unless it is also worth paying for a certificate that protects against impersonation of a business using a different domain
Depends on the ease of attack. One way I see for same domain impersonation is by compromising the user's DNS. Are there others? DNS compromise is somewhat involved but not extremely difficult, not very common in my experience with novice users, nor in the news I read.
But you are right, in that this attack vector definitely cannot be ignored, so it is worth making a certificate to protect against the same domain attack.
So does it boil down to Let's Encrypt being a protection against DNS compromises?
Thanks to you, I learnt about EV certificates.
"A site doesn't need MITM protection unless it also needs phishing protection."
Everyone "needs" all kinds of protection, but different people pay for different ones. MITM is used in a way of phishing, so you cannot protect against phishing unless you also protect from MITM . But if certificates are a dime a dozen, you've not really protected from MITM phishing as well as impersonation phishing. You're only achieving the encryption in transit, and preventing the scary message most browsers show when using self generated.
So Mozilla as a partner of this project could help much more by simply allowing a user preference for not showing scary message for self generated certificate, rather than this round about way of generating certificates every 90 days.
It's like printing money and distributing among the poor - appears noble , but brings down the very value of money. Certificates are not very unlike money here, are they?
This counts as passive sniffing and occasionally MITM.
MITM is too much work for dragnet. But yeah, passive sniffing.
On Pin Eight, which uses a domain-validated certificate, Firefox shows me only a green lock. On Chase, which uses an organization-validated certificate with EV extensions, Firefox shows me a green lock plus "JPMorgan Chase & Co." in green.
You're right, I notice that now. But distinction is not big enough for the people who will get scammed by the phishing. And I remember emails from my bank a few years ago about looking for the padlock icon - this distinction wasn't made there.
So it remains a bad idea - insufficiently validated websites getting that padlock, getting more people to be phished. All due to conflating encryption and sender validation.
That part works without running this code too.
Thank you for explaining. Consider three different attacks on an HTTP session: passive sniffing, active proxying by a man in the middle, and typosquatting
There is a fourth one - phishing. You might call it a variant of typo-squatting, but actually it is not. Your attempt to call it social engineering will also be met with a "Nah".
You get an email about updating your ING bank contact details urgently, and get a link to click on directly. But it is ingatyourservice.com - page content look and feel copied from ING's net banking website. User doesn't notice that this is not real ING, ignores the few mistakes in copying the phishers made, and enters everything the website asks.
There is a fifth attack vector - though none of the business of website owners or visitors. But EFF has made it their business to complain about it. It is the dragnet surveillance by TLAs. HTTPS prevents that too. "Let's Encrypt" sounds like an attack on that attack.
The two tiers of CA-signed certificate have distinct purposes.
You know more than me about the certificate business. But both - banks' padlock icon and Joe Sixpack's website's padlock icon look the same to me.
Then there is no market for this product, so requiring root is least of your worries.
But you make it sound like there's no place for encryption in transit without stronger sender identification
I am saying the opposite, no idea why you interpret it this way. It is very easy to encrypt in transit - just generate your certificate and encrypt away. Even the name of the project - Let's Encrypt - "makes it sound like" encryption in transit is the big deal, not the sender identification.
Repeat after me - encryption DOES NOT NEED identification.
Further, you make it sound like there ought to be an entry barrier to sender identification
How do you identify something without creating a barrier for it?
Do I understand you correctly so far?
50%.
Should individuals have the right to send, outside the course of a business?
Send away, no problem.Want to send encrypted? Generate a certificate and send away, no problem there either. Want someone to vouch for you that you are the sender you pretend to be? Ouch, that will be $x - not because it is a prerogative of the rich, but we need to do the following verifications which cost $x.
1. Identity, address verification of applicant. Something to catch him if he goes rogue.
2. Domain access - as you say letsencrypt already does.
3. Does it represent a physical business? Or virtual business outside of this domain? Or appear to do so to a non-paranoid human being? Get approval from the business owner.
Remember banks are relying on the "HTTPS" lock icon and instructing their users to look for it and consider themselves "safe" if it exists. ING bank shouldn't have to buy ing.com, ing.org, mying.com, ingbank.com, myingbank.com just because domain ownership is the be all and end all of "identification" on the internet.
Those who don't have the skills to do it otherwise? It is of no use to any other kinds of people anyway.
Because it's a bad idea? Two independent purposes are served by HTTPS - encryption in transit, and sender identification. Self generated certificate is enough to do the encryption in transit business.
For sender identification, it makes no sense to do it automatically and/or cheaply. It should be even more expensive, and come with lots of verifications. By doing it "automatically", we defeat the whole purpose of sender identification.
Browsers (including a partner in this project- Mozilla) are too stupid to not irritate users worth scary dialog if only one of the purposes of HTTPS are being served - but that doesn't mean we adopt stupid solutions.
If you can point out some whole country where people get shot but mostly don't bleed and die, I would accept that distinction. I pointed out Canada where schools don't have this recurrent problem in spite of being gun free.
You will note that those gun free zones were within larger areas with easy availability of guns, and insufficient protection between the gun free and non gun free zones.
E.g. schools in Canada don't get so many gun shootings even though they are gun free. I.e. because Canada as a whole doesn't have easy availability of guns and protection between the US and Canada is strong. But they would if the only protection Canada had from American guns was a signboard with "gun free zone" printed on it with many exclamation signs.
So being gun free is not what encourages shootings- it is the porous border between gun free and non gun free zones.
Or he has no HDD in his single PS4, twice.
Yes. inoremap.
Engineers is what engineers do. So the definition of "engineering" in a dictionary that doesn't include "work done by an engineer" is incomplete.
3) Work done by an engineer.
This is a tautology, You fail whatever they are calling discrete math for computer science these days.
No. It is saying that in addition to the said "branch of science and technology", and the said "action", the "work" done by such practitioners of science and technology and the "work" done by such actors is also called engineering. It is not a tautology.
If the third definition was not included, the answer to the question "what does he do for a living?" could never be "engineering", because work is not included. But by virtue of the third definition, the answer can be "engineering".
Protocol doesn't matter, but the functionality does. I do "ssh -X emacsclient" to my Emacs daemon running "server", and get the Emacs window locally. With this window, I can maximize, tile, resize, raise etc using my local window manager.
How do you do it without X? Xpra gives me artifacts and 100% CPU usage for apparently no reason.