I'd make damn sure to win the popular vote though. Conspiracy theories like this (which it is btw) usually break down after a long time because there are too many people involved.
Given that Linux has a lot of market share in the server department, I would imagine that the reward for compromising a system would be greater for linux right now than windows. After all, would you rather hack into 1000 home desktops or get a server from EBay, Slashdot, or any major to medium site that gets credit card numbers at some point?
However, since infecting a server is lower profile than infecting 1000 home computers, people looking for notoriety won't be doing it. I imagine that if someone finds a linux server exploit, they will exploit it as widely as possible without letting anyone know. Until very recently, hacking windows was something you did because you could, and letting people know they had a virus wasn't an issue. With linux, I imagine it's a different game entirely, and the tipping point is already there.
You're missing the most interesting possibility in my mind: employee sabotage. Why should open source be immune to a bad apple attempting to subvert the system for their own gain? A mid-level employee signs a package and distributes it, a customer running a rootkit checker or clamav on their system notices that the copy they have is suspicious, reports it, and suddenly you have a situation where the key itself may or may not be compromised and some checking needs to be done everywhere.
I have an enormous amount of respect for Bruce Schneier, but his writing is designed to get him business, not to give easy answers to big problems.
umm, easy answers to big problems? There are none, sir, and while bruce does occasionally plug his own products, I've never thought that he was just into it to make money. Reading his blog is the most informative part of my day.
Besides, we all know that his real reason for blogging is to help squid become the dominant species on the planet like they were intended to be.
Separate the authentication from the encryption and you have no problem at all. Right now, the little padlock icon and the protocol are redundant, since the padlock icon comes up with https and it doesn't with http. If you separate that out, and have the padlock only come up when the identity has been verified, then you can do self signed certs more easily. The average user wouldn't know the difference between http and https anyway, and an educated user would know better. Arguing that an insecure certificate will give users a false sense of security is like arguing that using png's on your website will make users think that your images won't have any transparency - you're both assuming that they have more knowledge than they do and that they're going to misuse it.
The summary is blatantly wrong. Take a look at the schneier blog post (from 3 days ago) and the second update: this attack only works against LSFR encryption of a low order, which means that none of the schemes mentioned in the summary are actually affected.
Now, if I were to actually RTFA, I would know whether the article was slow on the uptake or slashdot, and whether or not they should have known that the attack wouldn't affect the major algorithms, just smaller ones. Either Slashdot's dead wrong on this or computerworld is, and I'm not sure which one's more likely.
The little pop-up that annoys people to the point where they begin to just ignore it, or figure out how to turn it off?
The same could be said of any security feature. Good security's hard, and I've found the vista pop up to be no more annoying than the ubuntu one. I haven't used a Mac in years, but from what little I remember, it seems like it still has the pop ups. So, your two actual points seem to be that it pops up more than necessary and that it can be turned off. The first is a problem with other companies requiring administrator rights when they don't really need them, and the ability to turn it off is just giving people more options. So where's the problem?
Which operating system are you referring to? Because if it's Vista, then I've got to say that I don't find it at all annoying. It works quite well, the security's a welcome addition. The biggest problem is that they don't have the equivalent of a command line "sudo", but then again, I'm one of the very few people who use a windows command line I'm sure. Overall, Vista works quite well for me, much less of a headache than Ubuntu. Just my 2 cents, but I get the feeling that Vista had more bugs before SP1, and now people are just angry that it wasn't a huge leap over XP.
Client side privileges are difficult to control, and relying solely on the server for security is not always possible
Bullshit. Client side priveleges are impossible to control, as someone else said. Just ask the RIAA or MPAA is you can control the way someone uses their own computer.
As for why servers can't control security, I ask you why not? Everything that takes place between computers takes place on the server. All of the code that actually processes and stores the request happens on the server. What access would you like to control in an application that you can't control on the server?
The biggest problem that I've seen is that nobody knows how to code it. With C, C++, Java, and even PHP there's a set of standards that everyone adheres to with objects, functions, loops, etc. Then you bring in Javascript with a completely different paradigm and suddenly the old standards don't apply. When defining functions on the fly, do you use Function(), function *name* {}, eval...? How do you use the prototype? When do you use closures? Most people don't even know how to use these, much less when to use them and how you should format that use.
The most popular method right now is to try and make it so that javascript conforms more closely to existing paradigms, so that objects can extend one class and only one class, closures are avoided, etc. They would rather act as if some of the most powerful features of the language don't exist than try to work with the new paradigm. In my opinion, this isn't a long term solution and it's nowhere near optimal. When some good coding standards start emerging for javascript and we get some decent editors, I think we'll see a spike in code quality. Until then, it's going to be a mess.
Sql injection requires knowledge of sql and either a way to get the structure of the database or some luck with guessing tables. If you're going to say that sql injection is just typing text into a field, you could say the same for buffer overflow.
What's the difference between web developers and regular developers? Take a look at any desktop applications and tell me that they're programming with better security practices than web developers. Windows, apache, IIS, OSX, and many more programs include critical security holes that can be exploited externally; how is a buffer overflow any better or worse than improperly escaped SQL?
Developers as a whole have been programming without security and privacy expertise, web developers just happen to have a program that's exposed to (at best) everyone in a particular company, or often everyone in the world. With that kind of exposure, what percentage of non-web-based programs would survive without getting exploited?
Sorry, rant over. Security is a big concern, and for things which need to be very secure these features shouldn't be allowed. However, that shouldn't keep the browsers from increasing functionality and usability. Hopefully developers are learning their lessons and becoming more security conscious.
All of the places that I've worked have been mixed Windows/Linux server environments, with some of the servers being Windows to take care of Outlook stuff and the web servers and database servers running linux. If you've got a smaller shop with just a few servers, and you want support, Microsoft is now able to provide you with a complete solution. If you're a tinfoil wearer, you can go ahead and assume that they're going to use this to push their clients towards windows exclusivity over the next few years as well. If you're naive and don't study history, you can assume that they're doing this because they want to be 100% interoperable, and this is the first step. If you live in the real world with me, you can assume that a little of both is true - interoperability is a goal for them, and they would also like to be in a position to nudge you closer to windows.
His post was bad, but your two are worse. I've had a job outsourced, and I've laughed at how dumb management was to do it. If you're really a leader in your field, then you can move to another company or start one of your own. You can compete with eastern european countries in ways that aren't cost, like being in the same building and speaking the same language natively. I don't care if the indian on the other side of the line has spoken English since they were 8, it's fucking hard to talk to them.
It is unfair, but life isn't fair and you're going to have to deal with it. The bean counters who are swayed by cost and cost alone are making mistakes, and that opens the field up for someone else to step in and not make the mistakes. Instead of focusing on the part of your life that you have no control over, focus on the part that you do and take control that way. So, to reiterate the GP, grow up.
You're kidding, right? If you work on the right projects, they can't keep you from using the product for free, and things like this tend to grow exponentially. When you've got a program that runs a game, suddenly you need a good AI, which will be made so that it's a plugin rather than native. When you've got good AI's going, you find that a web client would be appreciated for that game, so you make one. It just keeps going on and on, all the while you're writing code that can be seen by everyone, and if a company starts supporting the code you're writing, there's a good chance that you'll get hired by that company.
Growing the market is only good. Without Linux and Open Source, I know over 100 developers who wouldn't have their current jobs.
You know, the fact that both of those people got escorted off the premises and that most of the people around him were very receptive to him screams that it's an isolated problem. Keep in mind that he's in Missouri, which sided with the South and had slavery (if I remember correctly).
Racism is isolated and uncommon; bringing attention to it's just going to backfire at this point.
Fortunately, the officials that need to be convinced (not necessarily of the truth, but that enough people believe it's the truth for them to get some fallout) are IOC member, most of whom come from considerably more free countries.
we'll wind up with random product placement every 20 seconds in every movie we see
Instead of just in the Will Ferrel comedies?
I suspect that DVDs will start to compete even less well due to increased previews/ads
Which is exactly my point. They take actions that are hurting their business model and making the pirated copy worth more to everyone. If they'd just stop that, they'd be fine. As it is, they're down to 3 boats hauling their cash instead of the 4 or 5 they predicted they'd have. My heart aches for them;)
Good things like this only happen to bad guys because that's where the infringement on rights starts. You don't infringe a soccer mom's right to privacy, you infringe the creepy mexican guy who likes to watch child pornography. Once his rights are infringed and the courts have set a precedence, then you can infringe the soccer mom's rights all you want, it's now legal! Defending society's rights requires defending them for every member, the scum included.
If it's not true, then the defendant can just turn around and offer the keys to the volume and get the cops in trouble for perjury. I doubt he's innocent, but if he is this could be one of the most satisfying court cases in the history of geekdom. Defending your right to encryption and then catching two police in a blatant lie? Priceless!
I'll make one leap: you didn't argue against the GP's argument in the slightest. You put up a straw man.
To make the connection, however, you'd have to look at theater sales and the value of the DVD itself. First, the theater is an experience that very few people can replicate at home. Having the latest 4-20 movies in a large room with enough seating for all of your friends and food for all of them isn't something that most people can do, and even fewer can do it at the drop of a hat (ie after dinner going to watch the new green lantern movie).
Then there's the value of the DVD. The quality's good, something you don't always get out of the download. The time to delivery is shorter. I can run to walmart and back with my wife in the time it takes to get to 25% on the torrent. The case and the DVD don't look like they've been pirated so your parents and friends don't know that you're lending out pirated DVDs.
Overall, there will be people willing to pay for these things for a long, long time, just like there will be people willing to buy the cd and see the band in tour for a long, long time. If they'd focus on adding value to legitimate products and generating good will in the customers, they'd make buying the product more attractive than piracy. Unfortunately, they just keep trying to make it harder for the pirates, which is a losing game with our current set of technology.
and you get a crappy return. From what I understand, there were a lot of bugs and problems with the game, to the point where it wasn't worth picking up. If those bugs had persisted, those already playing the game would have left (to varying degrees of course). In the end, they released a product that wasn't where it needed to be, and they lost out on their big opportunity to make a splash.
Slashdot Mirror
And people say that table layouts are bad.
I'd make damn sure to win the popular vote though. Conspiracy theories like this (which it is btw) usually break down after a long time because there are too many people involved.
Given that Linux has a lot of market share in the server department, I would imagine that the reward for compromising a system would be greater for linux right now than windows. After all, would you rather hack into 1000 home desktops or get a server from EBay, Slashdot, or any major to medium site that gets credit card numbers at some point?
However, since infecting a server is lower profile than infecting 1000 home computers, people looking for notoriety won't be doing it. I imagine that if someone finds a linux server exploit, they will exploit it as widely as possible without letting anyone know. Until very recently, hacking windows was something you did because you could, and letting people know they had a virus wasn't an issue. With linux, I imagine it's a different game entirely, and the tipping point is already there.
You're missing the most interesting possibility in my mind: employee sabotage. Why should open source be immune to a bad apple attempting to subvert the system for their own gain? A mid-level employee signs a package and distributes it, a customer running a rootkit checker or clamav on their system notices that the copy they have is suspicious, reports it, and suddenly you have a situation where the key itself may or may not be compromised and some checking needs to be done everywhere.
I have an enormous amount of respect for Bruce Schneier, but his writing is designed to get him business, not to give easy answers to big problems.
umm, easy answers to big problems? There are none, sir, and while bruce does occasionally plug his own products, I've never thought that he was just into it to make money. Reading his blog is the most informative part of my day.
Besides, we all know that his real reason for blogging is to help squid become the dominant species on the planet like they were intended to be.
Separate the authentication from the encryption and you have no problem at all. Right now, the little padlock icon and the protocol are redundant, since the padlock icon comes up with https and it doesn't with http. If you separate that out, and have the padlock only come up when the identity has been verified, then you can do self signed certs more easily. The average user wouldn't know the difference between http and https anyway, and an educated user would know better. Arguing that an insecure certificate will give users a false sense of security is like arguing that using png's on your website will make users think that your images won't have any transparency - you're both assuming that they have more knowledge than they do and that they're going to misuse it.
The summary is blatantly wrong. Take a look at the schneier blog post (from 3 days ago) and the second update: this attack only works against LSFR encryption of a low order, which means that none of the schemes mentioned in the summary are actually affected.
Now, if I were to actually RTFA, I would know whether the article was slow on the uptake or slashdot, and whether or not they should have known that the attack wouldn't affect the major algorithms, just smaller ones. Either Slashdot's dead wrong on this or computerworld is, and I'm not sure which one's more likely.
That's the biggest problem that I've had with it, yes.
The little pop-up that annoys people to the point where they begin to just ignore it, or figure out how to turn it off?
The same could be said of any security feature. Good security's hard, and I've found the vista pop up to be no more annoying than the ubuntu one. I haven't used a Mac in years, but from what little I remember, it seems like it still has the pop ups. So, your two actual points seem to be that it pops up more than necessary and that it can be turned off. The first is a problem with other companies requiring administrator rights when they don't really need them, and the ability to turn it off is just giving people more options. So where's the problem?
Which operating system are you referring to? Because if it's Vista, then I've got to say that I don't find it at all annoying. It works quite well, the security's a welcome addition. The biggest problem is that they don't have the equivalent of a command line "sudo", but then again, I'm one of the very few people who use a windows command line I'm sure. Overall, Vista works quite well for me, much less of a headache than Ubuntu. Just my 2 cents, but I get the feeling that Vista had more bugs before SP1, and now people are just angry that it wasn't a huge leap over XP.
Client side privileges are difficult to control, and relying solely on the server for security is not always possible
Bullshit. Client side priveleges are impossible to control, as someone else said. Just ask the RIAA or MPAA is you can control the way someone uses their own computer.
As for why servers can't control security, I ask you why not? Everything that takes place between computers takes place on the server. All of the code that actually processes and stores the request happens on the server. What access would you like to control in an application that you can't control on the server?
The biggest problem that I've seen is that nobody knows how to code it. With C, C++, Java, and even PHP there's a set of standards that everyone adheres to with objects, functions, loops, etc. Then you bring in Javascript with a completely different paradigm and suddenly the old standards don't apply. When defining functions on the fly, do you use Function(), function *name* {}, eval...? How do you use the prototype? When do you use closures? Most people don't even know how to use these, much less when to use them and how you should format that use.
The most popular method right now is to try and make it so that javascript conforms more closely to existing paradigms, so that objects can extend one class and only one class, closures are avoided, etc. They would rather act as if some of the most powerful features of the language don't exist than try to work with the new paradigm. In my opinion, this isn't a long term solution and it's nowhere near optimal. When some good coding standards start emerging for javascript and we get some decent editors, I think we'll see a spike in code quality. Until then, it's going to be a mess.
Sql injection requires knowledge of sql and either a way to get the structure of the database or some luck with guessing tables. If you're going to say that sql injection is just typing text into a field, you could say the same for buffer overflow.
What's the difference between web developers and regular developers? Take a look at any desktop applications and tell me that they're programming with better security practices than web developers. Windows, apache, IIS, OSX, and many more programs include critical security holes that can be exploited externally; how is a buffer overflow any better or worse than improperly escaped SQL?
Developers as a whole have been programming without security and privacy expertise, web developers just happen to have a program that's exposed to (at best) everyone in a particular company, or often everyone in the world. With that kind of exposure, what percentage of non-web-based programs would survive without getting exploited?
Sorry, rant over. Security is a big concern, and for things which need to be very secure these features shouldn't be allowed. However, that shouldn't keep the browsers from increasing functionality and usability. Hopefully developers are learning their lessons and becoming more security conscious.
All of the places that I've worked have been mixed Windows/Linux server environments, with some of the servers being Windows to take care of Outlook stuff and the web servers and database servers running linux. If you've got a smaller shop with just a few servers, and you want support, Microsoft is now able to provide you with a complete solution. If you're a tinfoil wearer, you can go ahead and assume that they're going to use this to push their clients towards windows exclusivity over the next few years as well. If you're naive and don't study history, you can assume that they're doing this because they want to be 100% interoperable, and this is the first step. If you live in the real world with me, you can assume that a little of both is true - interoperability is a goal for them, and they would also like to be in a position to nudge you closer to windows.
His post was bad, but your two are worse. I've had a job outsourced, and I've laughed at how dumb management was to do it. If you're really a leader in your field, then you can move to another company or start one of your own. You can compete with eastern european countries in ways that aren't cost, like being in the same building and speaking the same language natively. I don't care if the indian on the other side of the line has spoken English since they were 8, it's fucking hard to talk to them.
It is unfair, but life isn't fair and you're going to have to deal with it. The bean counters who are swayed by cost and cost alone are making mistakes, and that opens the field up for someone else to step in and not make the mistakes. Instead of focusing on the part of your life that you have no control over, focus on the part that you do and take control that way. So, to reiterate the GP, grow up.
You're kidding, right? If you work on the right projects, they can't keep you from using the product for free, and things like this tend to grow exponentially. When you've got a program that runs a game, suddenly you need a good AI, which will be made so that it's a plugin rather than native. When you've got good AI's going, you find that a web client would be appreciated for that game, so you make one. It just keeps going on and on, all the while you're writing code that can be seen by everyone, and if a company starts supporting the code you're writing, there's a good chance that you'll get hired by that company.
Growing the market is only good. Without Linux and Open Source, I know over 100 developers who wouldn't have their current jobs.
You know, the fact that both of those people got escorted off the premises and that most of the people around him were very receptive to him screams that it's an isolated problem. Keep in mind that he's in Missouri, which sided with the South and had slavery (if I remember correctly).
Racism is isolated and uncommon; bringing attention to it's just going to backfire at this point.
Will they then have to haul nearly a ton into space? That sounds like a very costly improvement to the shuttle.
Fortunately, the officials that need to be convinced (not necessarily of the truth, but that enough people believe it's the truth for them to get some fallout) are IOC member, most of whom come from considerably more free countries.
we'll wind up with random product placement every 20 seconds in every movie we see
Instead of just in the Will Ferrel comedies?
I suspect that DVDs will start to compete even less well due to increased previews/ads
Which is exactly my point. They take actions that are hurting their business model and making the pirated copy worth more to everyone. If they'd just stop that, they'd be fine. As it is, they're down to 3 boats hauling their cash instead of the 4 or 5 they predicted they'd have. My heart aches for them ;)
Good things like this only happen to bad guys because that's where the infringement on rights starts. You don't infringe a soccer mom's right to privacy, you infringe the creepy mexican guy who likes to watch child pornography. Once his rights are infringed and the courts have set a precedence, then you can infringe the soccer mom's rights all you want, it's now legal! Defending society's rights requires defending them for every member, the scum included.
If it's not true, then the defendant can just turn around and offer the keys to the volume and get the cops in trouble for perjury. I doubt he's innocent, but if he is this could be one of the most satisfying court cases in the history of geekdom. Defending your right to encryption and then catching two police in a blatant lie? Priceless!
I'll make one leap: you didn't argue against the GP's argument in the slightest. You put up a straw man.
To make the connection, however, you'd have to look at theater sales and the value of the DVD itself. First, the theater is an experience that very few people can replicate at home. Having the latest 4-20 movies in a large room with enough seating for all of your friends and food for all of them isn't something that most people can do, and even fewer can do it at the drop of a hat (ie after dinner going to watch the new green lantern movie).
Then there's the value of the DVD. The quality's good, something you don't always get out of the download. The time to delivery is shorter. I can run to walmart and back with my wife in the time it takes to get to 25% on the torrent. The case and the DVD don't look like they've been pirated so your parents and friends don't know that you're lending out pirated DVDs.
Overall, there will be people willing to pay for these things for a long, long time, just like there will be people willing to buy the cd and see the band in tour for a long, long time. If they'd focus on adding value to legitimate products and generating good will in the customers, they'd make buying the product more attractive than piracy. Unfortunately, they just keep trying to make it harder for the pirates, which is a losing game with our current set of technology.
and you get a crappy return. From what I understand, there were a lot of bugs and problems with the game, to the point where it wasn't worth picking up. If those bugs had persisted, those already playing the game would have left (to varying degrees of course). In the end, they released a product that wasn't where it needed to be, and they lost out on their big opportunity to make a splash.