Not really. I don't want to run an FTP server, so I have them use FTP over SSH, and I've set up their accounts so they can only meddle with their own stuff. Their websites are in $HOME, in the $USER group, not world-readable. None of them have sudo permissions. No user is in any other user's group.
So it's like renting them a private shed in my backyard. Sure, it's on my property, and if they want to give away their own stuff, they can, but they can't do anything to (the inside of) my house.
Tokens work fine for large companies, but not for small one-man website hosting gigs that are losing money as is; OTPs also incur a rather large support overhead, which is something I'm trying to avoid.
Besides which, there's no reason to go overboard. Strong passwords are "good enough" in my particular case. Not everyone needs the added security given by OTPs, tokens, login keys, and so on.
And have my clients call me every time they misplace their password list? I don't think so.
It's a tradeoff between cost and benefit. Changing to OTPs from "strong passwords" offers very little from a benefit standpoint (realistically, it's only slightly more secure), and incurs a comparatively large setup cost (including the time to learn how to set it up, get it tested properly, explain it to everyone else who uses the system, etc). From that perspective, I have nothing to gain by changing to OTPs.
That's only a problem if you don't trust your browser makers. If Firefox starts stealing people's Subversion passwords, people are going to notice; Javascript isn't going to be able to dig around your local filesystem (at least, not without your permission). I don't know about Flash, though. I would assume it needs user permission to do filesystem stuff?
Here's the question, though. Is ~/.subversion world-readable? If not, what group is it assigned, by default? Is it $USER? If so, I don't see a problem unless other users on the system have root access (or unrestricted sudo permissions).
Granted, that's just my personal opinion. Were I running a secret government Subversion server, I'd probably be more strict, but if the folder is only user-readable it's not going to be a problem 99% of the time.
(I'd answer these questions myself, but I'm in Windows at the moment, where I use TortoiseSVN.)
On an related note, does anyone know where Cygwin's Subversion client stores passwords? There's no.subversion in my home directory.
I used to see exactly that sort of thing all day every day until I put SSH on a port above 1024. It's not hard to see ssh on its alternate port with a quick nmap scan, but botnets apparently don't bother scanning... I would guess they're after the easiest meat. Now, I don't see any failed login attempts that aren't my own typos.
I agree that whining is useless. The post you replied to didn't say anything about whining, though, and neither did that post's parent post, which is why I made a distinction between whining and complaining.
Because some of us want to be able to log in from anywhere without having to carry a flash drive around containing our ssh keys.
And some of us have customers who have a hard enough time grasping the concept of "strong passwords", let alone key-based authentication... And heaven forbid a client's computer crashes and you have to help them set it up again over the phone...
And rip Subversion and CVS out because of their continuing practice of storing your account passwords in plain-text.
If your Subversion server is storing passwords in plaintext, you're doing it wrong. I've set up several servers for use with Subversion, and all of them store user passwords encrypted. As far as I know, that's the default way of doing it when you're doing Subversion through Apache.
Sure, if you don't mind slow speeds. My choices are as follows
- A 1.4Mbps T1 shared among several apartment buildings, for $50/month - A 1.5Mbps down, 768Kbps up Qwest DSL connection for $40ish/month - Comcast's full range of offerings, anywhere from $45/month to $90/month or higher
Verizon advertises FiOS around here, but I haven't found an address in my zip code or the neighboring one where FiOS is offered. Not to mention that my address isn't even in their computers, so the first-level techs can't even enter a note into their system that I'm interested.
Qwest advertises fiber, but they don't even offer decent speed DSL around here, let alone fiver.
Given that I do more than check my e-mail on my home connection, do I really have a choice? My choice is between a) Comcast or b) pay just as much for a far slower connection and abandon most of my normal internet usage (gaming and streaming video). You might be about to say "you don't live in a civilized area, then", but I'm only ~20 minutes south of downtown Seattle... hardly an uncivilized area.
I'll gladly start a competitor if you'll provide me with the funding. Personally, I don't qualify for the multimillion dollar loan I'd need to be able to build (or rent) the infrastructure necessary to compete with Comcast or Verizon in just one city, but maybe you do?
That said, yes, complaining about things can certainly make things better. Did AT&T charge you an activation fee or upgrade fee for you last cell phone? Complain - they'll waive it if you try. (Worked for me.) Think Comcast is charging too much? Call them and tell them you want to cancel service - they'll offer you a lower price to try and get you to say. (But don't say that. Manipulate them into it.)
Are you not getting paid what you're worth? Tell your manager, and explain why you think you're worth more - a simple e-mail along those lines once got me a $2/hour raise. (This probably won't work for salaried jobs.)
"Whining" is rarely productive. But complaining - especially manipulative complaining - can be very productive indeed.
I didn't mean to imply that StarCraft was the average age of games that work okay. I simply meant to say that older games will basically work "for sure", simply because they use older versions of DirectX.
I think it more likely that they've implemented a hardware whitelist, rather than a hardware blacklist, and only included the things they want to support.
Steam is selling you the right to play that particular game on one particular account - nothing more. If you want to re-sell a game that's available both on Steam and in stores, buy the physical copy in a store.
The information on the discs is indeed different than the version you'd receive from Steam, especially where DRM is concerned, but also because the Steam version runs without a CD, whereas the CD version may not.
IMHO the first sale doctrine is really only relevant when physical goods are involved. Since digital-only products are just that - digital - they can be copied infinitely. When you sell a paper book, you're not selling a copy of that book, but when you sell software via a download, you're selling a copy. Only the publisher should have the rights to sell copies (unless they waive those rights, of course).
You may argue that you'd erase your copy after the data transfer to the recipient has completed, but two copies do exist for a time - and that makes digital sales fundamentally different than physical sales.
To make things more complicated, what's to stop you from forgetting you've already sold it, and selling it twice, copying the same game each time? That's simply not possible with paper books.
What about Windows 98 is outdated? It has faster boot times, a simpler UI, and is not encumbered by active DRM. It's sometimes slow but a faster processor will still result in a instantaneous response times. I think the primary disadvantage of Windows 98 is that adding new industry-standard features would be so costly as to be impractical. It has security holes, and it tends to get bogged down over time, but in terms of OS quality Windows 98 is still extremely good.
Windows 98 is "outdated" because Microsoft wants to sell Windows 7. Lean and fast is sexy. And XP sold like crazy back when its stability was dramatically inferior to Windows 98, and it took them two service packs to catch up.
***... Now, obviously I'm being overly dramatic, but I think you can see my point. Yes, CRTs are useful, but they're not industry-standard anymore. You yourself pointed out one of the biggest reasons LCDs won out - high-resolution widescreen CRTs are impractically large.
But even if I were to concede that CRTs are inherently superior to LCDs, there have been many instances in recent history of apparently inferior technology being adopted as standard, while superior versions are left in the dust (e.g. VHS vs Beta).
The point is, you can't get mad at anyone for not supporting Beta tapes, even though you still have a Beta tape player at home; you can't get mad at Microsoft for not supporting Windows 98, even though you have a computer with Windows 98 running on it; and you can't get mad at someone for not supporting CRTs, even though you have a CRT at home.
Sure, CRTs have some inherently better qualities. LCDs have some too. Companies don't have infinite money, and guess what? They won't make money supporting CRTs, so they're not going to do it.
I see your point, but I feel it is pertinent to mention that older versions of DirectX are (essentially) fully supported under Wine. That is, there does in fact exist an open source alternative to DirectX using DirectX's API. (Not that an open source app intended to be cross-platform should use DirectX.)
Of course, I could be horribly mistaken about how Wine takes care of DirectX, but as far as I'm aware, when you install Wine, it doesn't come with closed-source DirectX DLLs, but older games (e.g. StarCraft) work fine.
No, but you can't blame a company for not wanting to support outdated technology.
That's like complaining that Microsoft won't release security updates for Windows 98. Sure, some people are still using it, and it might work perfectly well for them, but that doesn't mean MS is evil for not patching it.
Why bother end-users with it at all, since it doesn't matter to them?
It doesn't do Joe Sixpack any good to receive a notification that "By the way, this software is distributed under a license that most likely will not affect you in any way." It will do nothing but teach Joe to ignore notifications.
Think of Steam, where you have no means whatsoever of individually reselling the games you have bought.
Steam isn't exactly selling you a game; there are a few important distinctions between a purchase on Steam and a CD purchased in a store.
- Steam permits game access on a user-by-user basis. - Steam can revoke access to individual games or entire accounts (i.e. they can actually control use of the game, unlike physical CDs). - You are informed of these restrictions before you pay, which is entirely different from physical sales (which present an EULA after payment but before installation). I think that's the key that would allow Valve to win any lawsuit on the issue. (IANAL, I'm just speculating.)
I don't have a problem with Steam's method of doing things, though it is annoying that it only allows one game to be played per account at once (e.g. it'd be nice if I could play a game of Risk between deaths and respawns in Counter-Strike, or if my wife could play Boggle on my account on her computer while I play something else on my computer).
The best way to avoid EULA's is to just not use proprietary software.
It's also a good way to be stuck with inferior software or, in some fields, no software. (For example, there's no open source version of TurboTax, and few would argue that The GIMP is on par with Photoshop for advanced users. I also have yet to see an open source non-linear video editor that doesn't completely suck.) Sometimes, there is simply no alternative to proprietary software.
I'm as much of a Linux fan as the next guy (I run Gentoo Linux) but that doesn't mean I can't recognize the weaknesses the open source community still has.
Actually one thing that bugs me is that some open source software presents the GPL as if it were an EULA, and forces the user to "agree" to it. A user doesn't get to agree or disagree with the GPL; it's simply a statement of fact. The GPL is binding on any distribution of GPL software, whether or not a user has ever "agreed" to the GPL.
(IANAL, that's just my understanding of the situation. I welcome informative corrections.)
Slashdot Mirror
Not really. I don't want to run an FTP server, so I have them use FTP over SSH, and I've set up their accounts so they can only meddle with their own stuff. Their websites are in $HOME, in the $USER group, not world-readable. None of them have sudo permissions. No user is in any other user's group.
So it's like renting them a private shed in my backyard. Sure, it's on my property, and if they want to give away their own stuff, they can, but they can't do anything to (the inside of) my house.
I said, for you to access a server without carrying around a USB drive. There's no way I'd have customers try it.
It's easier to have one system for everyone than to special-case a one-time-password system for my username.
Imagine getting to check your webmail from a dodgy Internet cafe and knowing that the login will only work that one time.
I guess you've never heard of SSL-protected POP3/IMAP? Or even HTTPS for webmail?
Tokens work fine for large companies, but not for small one-man website hosting gigs that are losing money as is; OTPs also incur a rather large support overhead, which is something I'm trying to avoid.
Besides which, there's no reason to go overboard. Strong passwords are "good enough" in my particular case. Not everyone needs the added security given by OTPs, tokens, login keys, and so on.
And have my clients call me every time they misplace their password list? I don't think so.
It's a tradeoff between cost and benefit. Changing to OTPs from "strong passwords" offers very little from a benefit standpoint (realistically, it's only slightly more secure), and incurs a comparatively large setup cost (including the time to learn how to set it up, get it tested properly, explain it to everyone else who uses the system, etc). From that perspective, I have nothing to gain by changing to OTPs.
How many of those critical security bugs expose arbitrary filesystem access to Javascript (or Flash) every year? How many ever?
If your answer is either "I don't know" or even "less than one per year", then we can safely ignore you, because you're just fearmongering.
That's only a problem if you don't trust your browser makers. If Firefox starts stealing people's Subversion passwords, people are going to notice; Javascript isn't going to be able to dig around your local filesystem (at least, not without your permission). I don't know about Flash, though. I would assume it needs user permission to do filesystem stuff?
So... I take it you don't trust Mozilla?
Interesting. I hadn't really thought about that.
Here's the question, though. Is ~/.subversion world-readable? If not, what group is it assigned, by default? Is it $USER? If so, I don't see a problem unless other users on the system have root access (or unrestricted sudo permissions).
Granted, that's just my personal opinion. Were I running a secret government Subversion server, I'd probably be more strict, but if the folder is only user-readable it's not going to be a problem 99% of the time.
(I'd answer these questions myself, but I'm in Windows at the moment, where I use TortoiseSVN.)
On an related note, does anyone know where Cygwin's Subversion client stores passwords? There's no .subversion in my home directory.
I used to see exactly that sort of thing all day every day until I put SSH on a port above 1024. It's not hard to see ssh on its alternate port with a quick nmap scan, but botnets apparently don't bother scanning... I would guess they're after the easiest meat. Now, I don't see any failed login attempts that aren't my own typos.
I agree that whining is useless. The post you replied to didn't say anything about whining, though, and neither did that post's parent post, which is why I made a distinction between whining and complaining.
Because some of us want to be able to log in from anywhere without having to carry a flash drive around containing our ssh keys.
And some of us have customers who have a hard enough time grasping the concept of "strong passwords", let alone key-based authentication... And heaven forbid a client's computer crashes and you have to help them set it up again over the phone...
And rip Subversion and CVS out because of their continuing practice of storing your account passwords in plain-text.
If your Subversion server is storing passwords in plaintext, you're doing it wrong. I've set up several servers for use with Subversion, and all of them store user passwords encrypted. As far as I know, that's the default way of doing it when you're doing Subversion through Apache.
Most civilized areas have at least two options.
Sure, if you don't mind slow speeds. My choices are as follows
- A 1.4Mbps T1 shared among several apartment buildings, for $50/month
- A 1.5Mbps down, 768Kbps up Qwest DSL connection for $40ish/month
- Comcast's full range of offerings, anywhere from $45/month to $90/month or higher
Verizon advertises FiOS around here, but I haven't found an address in my zip code or the neighboring one where FiOS is offered. Not to mention that my address isn't even in their computers, so the first-level techs can't even enter a note into their system that I'm interested.
Qwest advertises fiber, but they don't even offer decent speed DSL around here, let alone fiver.
Given that I do more than check my e-mail on my home connection, do I really have a choice? My choice is between a) Comcast or b) pay just as much for a far slower connection and abandon most of my normal internet usage (gaming and streaming video). You might be about to say "you don't live in a civilized area, then", but I'm only ~20 minutes south of downtown Seattle... hardly an uncivilized area.
I'll gladly start a competitor if you'll provide me with the funding. Personally, I don't qualify for the multimillion dollar loan I'd need to be able to build (or rent) the infrastructure necessary to compete with Comcast or Verizon in just one city, but maybe you do?
That said, yes, complaining about things can certainly make things better. Did AT&T charge you an activation fee or upgrade fee for you last cell phone? Complain - they'll waive it if you try. (Worked for me.) Think Comcast is charging too much? Call them and tell them you want to cancel service - they'll offer you a lower price to try and get you to say. (But don't say that. Manipulate them into it.)
Are you not getting paid what you're worth? Tell your manager, and explain why you think you're worth more - a simple e-mail along those lines once got me a $2/hour raise. (This probably won't work for salaried jobs.)
"Whining" is rarely productive. But complaining - especially manipulative complaining - can be very productive indeed.
I didn't mean to imply that StarCraft was the average age of games that work okay. I simply meant to say that older games will basically work "for sure", simply because they use older versions of DirectX.
I think it more likely that they've implemented a hardware whitelist, rather than a hardware blacklist, and only included the things they want to support.
I didn't say he can't get mad. I said he can't blame them ;)
I knew I was being "creative" at that point... but I wanted to use his own phrasing as much as possible :/
Steam is selling you the right to play that particular game on one particular account - nothing more. If you want to re-sell a game that's available both on Steam and in stores, buy the physical copy in a store.
The information on the discs is indeed different than the version you'd receive from Steam, especially where DRM is concerned, but also because the Steam version runs without a CD, whereas the CD version may not.
IMHO the first sale doctrine is really only relevant when physical goods are involved. Since digital-only products are just that - digital - they can be copied infinitely. When you sell a paper book, you're not selling a copy of that book, but when you sell software via a download, you're selling a copy. Only the publisher should have the rights to sell copies (unless they waive those rights, of course).
You may argue that you'd erase your copy after the data transfer to the recipient has completed, but two copies do exist for a time - and that makes digital sales fundamentally different than physical sales.
To make things more complicated, what's to stop you from forgetting you've already sold it, and selling it twice, copying the same game each time? That's simply not possible with paper books.
What about Windows 98 is outdated? It has faster boot times, a simpler UI, and is not encumbered by active DRM. It's sometimes slow but a faster processor will still result in a instantaneous response times. I think the primary disadvantage of Windows 98 is that adding new industry-standard features would be so costly as to be impractical. It has security holes, and it tends to get bogged down over time, but in terms of OS quality Windows 98 is still extremely good.
Windows 98 is "outdated" because Microsoft wants to sell Windows 7. Lean and fast is sexy. And XP sold like crazy back when its stability was dramatically inferior to Windows 98, and it took them two service packs to catch up.
*** ... Now, obviously I'm being overly dramatic, but I think you can see my point. Yes, CRTs are useful, but they're not industry-standard anymore. You yourself pointed out one of the biggest reasons LCDs won out - high-resolution widescreen CRTs are impractically large.
But even if I were to concede that CRTs are inherently superior to LCDs, there have been many instances in recent history of apparently inferior technology being adopted as standard, while superior versions are left in the dust (e.g. VHS vs Beta).
The point is, you can't get mad at anyone for not supporting Beta tapes, even though you still have a Beta tape player at home; you can't get mad at Microsoft for not supporting Windows 98, even though you have a computer with Windows 98 running on it; and you can't get mad at someone for not supporting CRTs, even though you have a CRT at home.
Sure, CRTs have some inherently better qualities. LCDs have some too. Companies don't have infinite money, and guess what? They won't make money supporting CRTs, so they're not going to do it.
Ever tried to run DirectX under anything else?
I see your point, but I feel it is pertinent to mention that older versions of DirectX are (essentially) fully supported under Wine. That is, there does in fact exist an open source alternative to DirectX using DirectX's API. (Not that an open source app intended to be cross-platform should use DirectX.)
Of course, I could be horribly mistaken about how Wine takes care of DirectX, but as far as I'm aware, when you install Wine, it doesn't come with closed-source DirectX DLLs, but older games (e.g. StarCraft) work fine.
No, but you can't blame a company for not wanting to support outdated technology.
That's like complaining that Microsoft won't release security updates for Windows 98. Sure, some people are still using it, and it might work perfectly well for them, but that doesn't mean MS is evil for not patching it.
Why bother end-users with it at all, since it doesn't matter to them?
It doesn't do Joe Sixpack any good to receive a notification that "By the way, this software is distributed under a license that most likely will not affect you in any way." It will do nothing but teach Joe to ignore notifications.
Think of Steam, where you have no means whatsoever of individually reselling the games you have bought.
Steam isn't exactly selling you a game; there are a few important distinctions between a purchase on Steam and a CD purchased in a store.
- Steam permits game access on a user-by-user basis.
- Steam can revoke access to individual games or entire accounts (i.e. they can actually control use of the game, unlike physical CDs).
- You are informed of these restrictions before you pay, which is entirely different from physical sales (which present an EULA after payment but before installation). I think that's the key that would allow Valve to win any lawsuit on the issue. (IANAL, I'm just speculating.)
I don't have a problem with Steam's method of doing things, though it is annoying that it only allows one game to be played per account at once (e.g. it'd be nice if I could play a game of Risk between deaths and respawns in Counter-Strike, or if my wife could play Boggle on my account on her computer while I play something else on my computer).
Is it an auto? Is it an desk?
No, it's Superman!
The best way to avoid EULA's is to just not use proprietary software.
It's also a good way to be stuck with inferior software or, in some fields, no software. (For example, there's no open source version of TurboTax, and few would argue that The GIMP is on par with Photoshop for advanced users. I also have yet to see an open source non-linear video editor that doesn't completely suck.) Sometimes, there is simply no alternative to proprietary software.
I'm as much of a Linux fan as the next guy (I run Gentoo Linux) but that doesn't mean I can't recognize the weaknesses the open source community still has.
Actually one thing that bugs me is that some open source software presents the GPL as if it were an EULA, and forces the user to "agree" to it. A user doesn't get to agree or disagree with the GPL; it's simply a statement of fact. The GPL is binding on any distribution of GPL software, whether or not a user has ever "agreed" to the GPL.
(IANAL, that's just my understanding of the situation. I welcome informative corrections.)