> to protect against snooping, against which SSL is bulletproof.
Is it really? Am not so sure. After all, you "trust" all those companies you've never heard of to vouch for the certificate. So what's someone with extended capabilities and resources to get a nice MITM certificate signed by said companies and putting themselves, well, in the middle of your session to your intended target server (let's say SSL'd web mail). Your browser trusts the white-van cert and they in turn forward your traffic to the real site. Seems pretty classic. In fact, a self-signed cert which you've been able to verify or at least save once would offer more security.
Everybody and their mother asks: Do you know who you are communicating with? Perhaps the real question is: Do you know who you trust?
Perhaps something like what Perspectives does for SSL certs would be feasible for GPG keys pulled off a key server. As in: "This public key for email@domain has been seen consistently for X amount of days", i.e. it has not changed thereby preventing imposters. Would be a nice secondary path of semi-trust in addition to the Web-of-Trust.
> I don't, for instance, care about having slashdot encrypted at all. > if someone steals the password or the cookie then so be it.
On a more serious note:
What if somebody uses your account to, say, post "I wanna blow up the POTUS!!!"? Do you still not care, if the Secret Service rings your doorbell and starts asking you very detailed questions?
Agent Smith: "The threatening message was posted yesterday at 22.34. What were you doing at that time?"
Korin43: "Oh...well, I was on the computer. Reading stuff. Like Slashdot. Uhh...yeah *gulp*"
Right. Even if you can clear yourself chances are you'll be watched afterwards and you are definitely indefinitely in the USSS database if nothing else.
> I'd be curious to see the results of a survey to see how many SMTP > servers are advertising STARTTLS.
I'd be curious to see how many mail user clients are advertising STARTPGP... Does even one Linux distro support PGP/GPG out-of-the-box in a way, that's basically akin to opportunistic encryption or at least makes setting up key pairs a normal step in the regular e-mail setup that every user has to do anyway?
> Why would I worry about porn? If some tech drone sees there's porn > there, big deal.
Unless the tech drone and his pointy-hair store-supervisor think, she looks less than 18. Before you know it, a police report has been filed, questioning ensues and a whole mess in general descends upon you that you may never quite extricate yourself from again...even if she was 23 at the time but who's gonna ask her...
You haven't posted anything refuting my claim despite your list. There is currently no way for actual legal immigration, as in "The US is cool...let's move there and build a life". You do need to have my aforementioned prereqs to even entertain the thought. Sure you can come as tourist or even as student or worker and stay a while, if all goes well. But that's a long shot from becoming a citizen. You should search for how to get a green card instead. As for criminals...well, surely among immigrant there are certain criminal elements among them (I mean real criminals, not people who have overstayed their visa a couple days). But you might find a visit to an underground 'temp agency' geared towards illegal aliens eye-opening, when the highest-paid job is around $2.50. Fact is, if the people currently in the country undocumented were given the opportunity to become lawful workers, you'd see a lot more tax income and a lot less crime.
> I'm all for LEGAL IMMIGRATION - that is where people apply for immigration, > follow the rules, and eventually become naturalized, and swear allegiance to > their adopted country. ILLEGAL ALIENS are an invading force.
You do realize, that this isn't possible in the US? You can't just come here and say "Oh, I like it here and am gonna stay and become a citizen". You need to get married, or invest lots of money or have a relative (1st degree) to sponsor you. Other than that the door's pretty much shut. And that's why there a millions of undocumented people in the country. Not because they don't want to pay taxes or otherwise contribute...it's because they can't do it any other way.
> Besides that, even a complex screensaver (like thos nifty aquarium screen > savers) uses almost no resources and adds very little to the power > consumption of an idle PC, but SETI@home is a number crunching app, and > number crunching is extremely CPU intensive.
Right...cuz the cute whales appear spontaneously out of nothing and we all know, that 3D animations require "almost no resources" as any gamer can attest to.:-D
the final nail in the coffin of the 'traditional' news dissemination business model. One that relied on having to purchase a physical (print) medium and that has not been able to adapt to the Internet-era. This is also a consciousness-switch of the traditional users: information wants to be free and they want it accordingly. To try to force people to actually pay for content they can have for free (regardless of what Google, Murdoch etc. do), is almost laughable in terms of failing to accept the inevitable. In fact, it will accelerate it. However, I do wonder about the journalists and writers...what is the way for them to make money if news and stories are only accepted for free? There is a large effort needed to write quality stories...a lot of calling people, driving around interviewing, checking documents etc.pp. So far the newspapers/-agencies were, for a writer, the customers and they paid based on length etc. If they falter, what will happen? Suggestions?
> make sure you bookmark the HTTPS URL, so the first hit on the bank's httpd > is HTTPS and not HTTP
I'd love to see a FF plugin, that checks for the availability of an HTTPS version before bookmarking a site (and suggests accordingly). Always hate having to try manually, though it's quite eye-opening to see, just how few sites actually use it and even less, who implement SSL correctly.
> Banking passwords should be memorized and never, ever, EVER written down or > saved (and that includes firefox too).
Sorry, won't work. In fact the only way I can use actually secure passwords with high entropy is by writing them down. I might agree about the (not) storing in Firefox bit but other than that I think, this is unhelpful advice. We're not meant to remember 128-bit passwords. I rather keep them in obfuscated written-down form in my wallet. If that gets lost or taken, I have more immediate problems than my passwords.
Since this is happening not just in India, what measures can we take to protect ourselves? For example, with the Nokia 900 Linux-based phone or iPhone etc....do any apps exist, that will encrypt the conversations (similar to cryptophone, just actually affordable)? Anyone got any suggestions and/or experiences?
> The issue, as I see it, is very simple. This should be applied not just > regionally, but globally: Open PC. Mandate: The Consumer is given the > ultimate right and therefore choice to determine which Operating System, if > any, should be installed at 'Point of Sale'.
Nice thought. Instead we had the EU pseudo-pissing on Microsoft's leg by going on about RealPlayer and Netscape and whatnot. Enabling real choices for the customer was unfortunately not in their interest. But then....to expect politicians and parliament-members to actually work for the common good is pretty silly to begin with, I sadly suppose. The only people affecting change are individuals, who do out-of-the-majority's-box actions like demanding a refund for an imposed OS. Regardless of money involved, everybody doing so is to be applauded just for principle!
PS: I much prefer the word 'customer'. To me being called 'consumer' is almost an insult. Customer implies choice and free will...consumer doesn't. Just my take on it.
Slashdot Mirror
> to protect against snooping, against which SSL is bulletproof.
Is it really? Am not so sure. After all, you "trust" all those companies you've never heard of to vouch for the certificate. So what's someone with extended capabilities and resources to get a nice MITM certificate signed by said companies and putting themselves, well, in the middle of your session to your intended target server (let's say SSL'd web mail). Your browser trusts the white-van cert and they in turn forward your traffic to the real site. Seems pretty classic. In fact, a self-signed cert which you've been able to verify or at least save once would offer more security.
Everybody and their mother asks: Do you know who you are communicating with? Perhaps the real question is: Do you know who you trust?
> Maybe Perspectives can help show that certs come from the right
> source.
> http://www.cs.cmu.edu/~perspectives/index.html
Perhaps something like what Perspectives does for SSL certs would be
feasible for GPG keys pulled off a key server.
As in: "This public key for email@domain has been seen consistently
for X amount of days", i.e. it has not changed thereby preventing
imposters. Would be a nice secondary path of semi-trust in addition
to the Web-of-Trust.
> Only Terrorists use encryption, if your not a terrorist you've got nothing to hide.
Oh, the irony of this! I love it! :-)
You forgot: "Signed, Your friendly NSA and associates" :-D
> I don't, for instance, care about having slashdot encrypted at all.
> if someone steals the password or the cookie then so be it.
On a more serious note:
What if somebody uses your account to, say, post "I wanna blow up the
POTUS!!!"? Do you still not care, if the Secret Service rings your
doorbell and starts asking you very detailed questions?
Agent Smith: "The threatening message was posted yesterday at 22.34.
What were you doing at that time?"
Korin43: "Oh...well, I was on the computer. Reading stuff. Like
Slashdot. Uhh...yeah *gulp*"
Right. Even if you can clear yourself chances are you'll be watched
afterwards and you are definitely indefinitely in the USSS database
if nothing else.
> I don't, for instance, care about having slashdot encrypted at all.
> if someone steals the password or the cookie then so be it.
That's like....Bad Karma! :-)
> The last thing we want is to get the less tech-savvy individuals
> used to accepting untrusted certificates.
They are already used to it. NEXT?
> If all of those sites switched to HTTPS, each would need a separate IP address
AFAIK, SSL via shared IP and virtual host(names) is possible. Haven't had the need to actually use it but it is available.
> I'd be curious to see the results of a survey to see how many SMTP
> servers are advertising STARTTLS.
I'd be curious to see how many mail user clients are advertising
STARTPGP...
Does even one Linux distro support PGP/GPG out-of-the-box in a way,
that's basically akin to opportunistic encryption or at least makes
setting up key pairs a normal step in the regular e-mail setup that
every user has to do anyway?
> Why would I worry about porn? If some tech drone sees there's porn
> there, big deal.
Unless the tech drone and his pointy-hair store-supervisor think, she
looks less than 18. Before you know it, a police report has been
filed, questioning ensues and a whole mess in general descends upon
you that you may never quite extricate yourself from again...even if
she was 23 at the time but who's gonna ask her...
> At least in New Zealand they still need a warrant.
Unless, of course, the 'collection' is done by partner services of the Echelon-participants...like it's been done for decades.
You haven't posted anything refuting my claim despite your list. There is currently no way for actual legal immigration, as in "The US is cool...let's move there and build a life". You do need to have my aforementioned prereqs to even entertain the thought. Sure you can come as tourist or even as student or worker and stay a while, if all goes well. But that's a long shot from becoming a citizen. You should search for how to get a green card instead.
As for criminals...well, surely among immigrant there are certain criminal elements among them (I mean real criminals, not people who have overstayed their visa a couple days). But you might find a visit to an underground 'temp agency' geared towards illegal aliens eye-opening, when the highest-paid job is around $2.50. Fact is, if the people currently in the country undocumented were given the opportunity to become lawful workers, you'd see a lot more tax income and a lot less crime.
> I'm all for LEGAL IMMIGRATION - that is where people apply for immigration,
> follow the rules, and eventually become naturalized, and swear allegiance to
> their adopted country. ILLEGAL ALIENS are an invading force.
You do realize, that this isn't possible in the US? You can't just come here
and say "Oh, I like it here and am gonna stay and become a citizen". You need
to get married, or invest lots of money or have a relative (1st degree) to
sponsor you. Other than that the door's pretty much shut.
And that's why there a millions of undocumented people in the country. Not
because they don't want to pay taxes or otherwise contribute...it's because
they can't do it any other way.
> Besides that, even a complex screensaver (like thos nifty aquarium screen
> savers) uses almost no resources and adds very little to the power
> consumption of an idle PC, but SETI@home is a number crunching app, and
> number crunching is extremely CPU intensive.
Right...cuz the cute whales appear spontaneously out of nothing and we all :-D
know, that 3D animations require "almost no resources" as any gamer can attest
to.
> Just how much CPU do you think those [screen savers] require, versus SETI
> running at 100% utilization...
Umm...100% as well?
the final nail in the coffin of the 'traditional' news dissemination business model. One that relied on having to purchase a physical (print) medium and that has not been able to adapt to the Internet-era. This is also a consciousness-switch of the traditional users: information wants to be free and they want it accordingly. To try to force people to actually pay for content they can have for free (regardless of what Google, Murdoch etc. do), is almost laughable in terms of failing to accept the inevitable. In fact, it will accelerate it.
However, I do wonder about the journalists and writers...what is the way for them to make money if news and stories are only accepted for free? There is a large effort needed to write quality stories...a lot of calling people, driving around interviewing, checking documents etc.pp. So far the newspapers/-agencies were, for a writer, the customers and they paid based on length etc. If they falter, what will happen? Suggestions?
> What's your mother's phone number?
867-5309
> using the Ubuntu alternate install cd
You don't need the alternate installer...the regular CD will work just fine.
> make sure you bookmark the HTTPS URL, so the first hit on the bank's httpd
> is HTTPS and not HTTP
I'd love to see a FF plugin, that checks for the availability of an HTTPS
version before bookmarking a site (and suggests accordingly). Always hate
having to try manually, though it's quite eye-opening to see, just how few
sites actually use it and even less, who implement SSL correctly.
Not bad. In fact, there's a great plugin for vim, that uses openssl just like
that for creating a command-line password safe:
http://www.vim.org/scripts/script.php?script_id=2012
However, your 2nd step is very questionable. You should instead use:
shred -vuz passwd.txt
Better yet, you do all this on a LUKS partition. (Then you might get away with a
simple rm.)
> Banking passwords should be memorized and never, ever, EVER written down or
> saved (and that includes firefox too).
Sorry, won't work. In fact the only way I can use actually secure passwords
with high entropy is by writing them down. I might agree about the (not)
storing in Firefox bit but other than that I think, this is unhelpful advice.
We're not meant to remember 128-bit passwords. I rather keep them in
obfuscated written-down form in my wallet. If that gets lost or taken, I have
more immediate problems than my passwords.
Since this is happening not just in India, what measures can we take to protect ourselves? For example, with the Nokia 900 Linux-based phone or iPhone etc....do any apps exist, that will encrypt the conversations (similar to cryptophone, just actually affordable)? Anyone got any suggestions and/or experiences?
> The issue, as I see it, is very simple. This should be applied not just
> regionally, but globally: Open PC. Mandate: The Consumer is given the
> ultimate right and therefore choice to determine which Operating System, if
> any, should be installed at 'Point of Sale'.
Nice thought. Instead we had the EU pseudo-pissing on Microsoft's leg by going
on about RealPlayer and Netscape and whatnot. Enabling real choices for the
customer was unfortunately not in their interest. But then....to expect
politicians and parliament-members to actually work for the common good is
pretty silly to begin with, I sadly suppose. The only people affecting change
are individuals, who do out-of-the-majority's-box actions like demanding a
refund for an imposed OS. Regardless of money involved, everybody doing so is
to be applauded just for principle!
PS: I much prefer the word 'customer'. To me being called 'consumer' is almost
an insult. Customer implies choice and free will...consumer doesn't. Just my
take on it.
> Your ingenuity of using angle brackets instead of quote tags intrigues me.
> You must have lots of good ideas.
Would you like to subscribe to my newsletter?
Zed: Bring out the Gimp.
Maynard: Gimp's not installed.
Zed: Well, I guess you're gonna have to go apt-get install him now, won't you?
>> i dont mean to troll, but once the name changes
> dude, finish your sentence! The suspense is killing me! ...the year of the Linux Desktop has arrived.
TFIFY! :-)