Have you even read the EULA? Another poster summarized it already here
Not to mention distribution licenses also sometimes cover use as well (i.e. Creative-Commons)
Your point doesn't make any sense. Firefox is still FOSS the source is released under a FOSS License. EULA is about END-USERS not downstream developers. It is still genuinely open-source as any other open source is. Licensing of the code itself and licensing of the binaries are two separate realms.
Put him in jail and maybe these adult children will grow up.
You have way more faith in the correctional system than is warranted. They should give him community service or something not send him to jail and turn him in to a hardcore criminal. This is a person who at this point can still be of benefit to society. Intent has a place in the law and it should be considered strongly here.
Yes, but as you said that's assuming the connection itself isn't to a MITM with a forged cert.
I guess my ultimate point is self-signed should really only be used in controlled environments, we don't want the less aware users to get used to creating security exceptions for every public site that uses SSL thinking that is the norm. However I suppose we are way off-topic at this point so I will cede the point and wait for another SSL news story.:)
They (scientificlinux.org) are using an unsigned SSL certificate, is there anyway for me to verify the thumbprint for that cert out of band? Can someone post it if they've verified it?
If they didn't oversell the bandwidth you'd be paying ALOT more for internet than you are now. If you want a dedicated pipe go look up the price of a T1 line and compare that to your residential internet. If they gave everyone 100% of the bandwidth in their plan dedicated then they wouldn't be in business and it would be terribly inefficient to boot.
I think your argument of hoops is really a stretch considering the fact that Battle.net has always been free, you just need a valid key, and it's not like you need to sign on to Battle.net to play single player. There are a bunch of reasons why LAN play might have been excluded piracy could just be a side effect, not having to bother coding or testing it is probably a bigger cost savings.
Looking at Firefox 3 there are 56 Root CA certificate groups and Verisign is only one of them. I'm sure a lot of them handle "many other smaller certificate authorities".
The GP didn't even mention Verisign, and Verisign isn't even close to being the only CA in business, there are LOTS OF THEM. Was a nice straw man though.
If you are particularly paranoid Thawte (and there are probably others) will allow you to generate your own key pair and sign the public key which means that at no point are they in possession of the private key. You just need to meet the requirements of their web of trust program.
Not that I'm doggin on your OpenVPN solution, I like it. I just thought I'd point out that most Linux distro's come with OpenSSH installed and it can do tunneling right out of the box, there's nothing to it you don't configure anything on server (except maybe disabling password authentication, because if this is over the internet you are using PK Auth!) all the configuration is done on the client side, which is mondo easy in PuTTY.
Why would you want to use CA SSL certs for those things? Devices which you have physical access to are presumably secure as you can verify the fingerprint on both ends yourself and thus either install the certificates or create a security exception. Working as intended!
You only need the CA SSL certs for resources for which users have no prior knowledge or access to. In which case, a self-signed cert is inappropriate unless you provide a means for your users to verify the fingerprint over a secure channel.
People complain about the 'SSL Cartel' and Verisign's hefty fee's yet fail to check there competitors. There are ALOT of CA's out there for you to choose from.
One of MANY examples.
https://www.godaddy.com/gdshop/ssl/ssl.asp
I realize that this will probably be an unpopular opinion here but I felt like it's something that had to be said.
Producing the original material does take resources though, and it feels like a lot of people forget that. If we follow the strictly physical aspect digital products then the producer would have to recoup the costs of making the product in one sale because afterward it would be infinitely copied, which is obviously absurd. The point is that developers are selling something abstract not a physical good, an "experience" if you will, something which cost them time and money to put together.
On the one hand people exclaim how digital products should not be treated like real products, as in the parent post, and then on the other hand people try to say that the consumer should enjoy all the same rights over the digital product as if he had just bought a real tangible product.
You can't have your cake and eat it too. Either digital products are special and have special rules, or they are not. I don't think the lawmaking has fully caught up with this concept and right now its balanced to far over to the right holders. However, I think it's unreasonable for consumers to expect the same rights to control over the digital product as they are given over a physical product.
I've used TPB for legal torrents as well as the "illegal" ones. I taste movies before buying them, and TPB is a great way to try before I buy. I actually spend MORE money on DVDs purchased legally because of this method.
Unfortunately the purpose for the download of copyrighted material does not make it anymore legal, no matter how one rationalizes it, it's just simply not your right.
So the Italian prosecutor would call me a criminal. Fine. He's using public funding against what would be a "crime" between private parties. He's using the taxpayer's dollars to do the work the "harmed" party should be doing.
If I assault you or defraud you, that is also a crime between private parties, yet the state will still prosecute it. You need to define your terms more carefully. Should the state be handling what should ultimately be a civil matter, no not really, but private parties has little to do with it.
Defendents, it seems, almost never get the benefit of hindsight in there defenses nor can hindsight be used against them. There is no way she could have known that the person downloading from her was an authorized agent.
Slashdot Mirror
Have you even read the EULA? Another poster summarized it already here Not to mention distribution licenses also sometimes cover use as well (i.e. Creative-Commons)
Your point doesn't make any sense. Firefox is still FOSS the source is released under a FOSS License. EULA is about END-USERS not downstream developers. It is still genuinely open-source as any other open source is. Licensing of the code itself and licensing of the binaries are two separate realms.
Put him in jail and maybe these adult children will grow up.
You have way more faith in the correctional system than is warranted. They should give him community service or something not send him to jail and turn him in to a hardcore criminal. This is a person who at this point can still be of benefit to society. Intent has a place in the law and it should be considered strongly here.
Quite, but encryption doesn't really do much for me if I just give away the key to random entities a url directs me to on the web.
Yes, but as you said that's assuming the connection itself isn't to a MITM with a forged cert. I guess my ultimate point is self-signed should really only be used in controlled environments, we don't want the less aware users to get used to creating security exceptions for every public site that uses SSL thinking that is the norm. However I suppose we are way off-topic at this point so I will cede the point and wait for another SSL news story. :)
I'm not concerned, my point is if verification is not offered what's the point of even using the SSL cert, it's security theater.
Why bother even using a certificate then?
They (scientificlinux.org) are using an unsigned SSL certificate, is there anyway for me to verify the thumbprint for that cert out of band? Can someone post it if they've verified it?
Needs more hyperbole, I don't think you supplied nearly enough, would go well with a hint more elitism too.
Woooooosh!
Does not matter if its fiber or not, its a percentages game. Giving everyone a 100% dedicated pipe is inefficient.
If they didn't oversell the bandwidth you'd be paying ALOT more for internet than you are now. If you want a dedicated pipe go look up the price of a T1 line and compare that to your residential internet. If they gave everyone 100% of the bandwidth in their plan dedicated then they wouldn't be in business and it would be terribly inefficient to boot.
I think your argument of hoops is really a stretch considering the fact that Battle.net has always been free, you just need a valid key, and it's not like you need to sign on to Battle.net to play single player. There are a bunch of reasons why LAN play might have been excluded piracy could just be a side effect, not having to bother coding or testing it is probably a bigger cost savings.
Looking at Firefox 3 there are 56 Root CA certificate groups and Verisign is only one of them. I'm sure a lot of them handle "many other smaller certificate authorities".
The GP didn't even mention Verisign, and Verisign isn't even close to being the only CA in business, there are LOTS OF THEM. Was a nice straw man though.
If you are particularly paranoid Thawte (and there are probably others) will allow you to generate your own key pair and sign the public key which means that at no point are they in possession of the private key. You just need to meet the requirements of their web of trust program.
Not that I'm doggin on your OpenVPN solution, I like it. I just thought I'd point out that most Linux distro's come with OpenSSH installed and it can do tunneling right out of the box, there's nothing to it you don't configure anything on server (except maybe disabling password authentication, because if this is over the internet you are using PK Auth!) all the configuration is done on the client side, which is mondo easy in PuTTY.
Why would you want to use CA SSL certs for those things? Devices which you have physical access to are presumably secure as you can verify the fingerprint on both ends yourself and thus either install the certificates or create a security exception. Working as intended!
You only need the CA SSL certs for resources for which users have no prior knowledge or access to. In which case, a self-signed cert is inappropriate unless you provide a means for your users to verify the fingerprint over a secure channel.
Make a security exception in FF? As a tech you should know whether or not the cert is valid the warning is there for non-technical users.
IIRC, Mozilla has already said that they would if CACert would meet all their auditing requirements.
People complain about the 'SSL Cartel' and Verisign's hefty fee's yet fail to check there competitors. There are ALOT of CA's out there for you to choose from.
One of MANY examples. https://www.godaddy.com/gdshop/ssl/ssl.asp
$27/year is not what I would call hefty.
I realize that this will probably be an unpopular opinion here but I felt like it's something that had to be said.
Producing the original material does take resources though, and it feels like a lot of people forget that. If we follow the strictly physical aspect digital products then the producer would have to recoup the costs of making the product in one sale because afterward it would be infinitely copied, which is obviously absurd. The point is that developers are selling something abstract not a physical good, an "experience" if you will, something which cost them time and money to put together.
On the one hand people exclaim how digital products should not be treated like real products, as in the parent post, and then on the other hand people try to say that the consumer should enjoy all the same rights over the digital product as if he had just bought a real tangible product.
You can't have your cake and eat it too. Either digital products are special and have special rules, or they are not. I don't think the lawmaking has fully caught up with this concept and right now its balanced to far over to the right holders. However, I think it's unreasonable for consumers to expect the same rights to control over the digital product as they are given over a physical product.
I've used TPB for legal torrents as well as the "illegal" ones. I taste movies before buying them, and TPB is a great way to try before I buy. I actually spend MORE money on DVDs purchased legally because of this method.
Unfortunately the purpose for the download of copyrighted material does not make it anymore legal, no matter how one rationalizes it, it's just simply not your right.
So the Italian prosecutor would call me a criminal. Fine. He's using public funding against what would be a "crime" between private parties. He's using the taxpayer's dollars to do the work the "harmed" party should be doing.
If I assault you or defraud you, that is also a crime between private parties, yet the state will still prosecute it. You need to define your terms more carefully. Should the state be handling what should ultimately be a civil matter, no not really, but private parties has little to do with it.
I'm sure the owners of TBP don't want to step anywhere near a courtroom, even less for one not in their own country.
It's scary because its true.
Defendents, it seems, almost never get the benefit of hindsight in there defenses nor can hindsight be used against them. There is no way she could have known that the person downloading from her was an authorized agent.