So what about us normal and decent folks? What options exist for us to end-to-end encrypt calls and messages (at minimum)? Anything open-source out there, that let's you do that?
> Fall back to regular HTTP then. There's no point in insecure HTTPS.
But there is a point in insecure HTTP??
> Security is the "S" in these protocols and the sole reason for their > existence.
I know this is hard for guys like you to accept, but the much-touted "S" has become a ridiculous notion. Especially when coupled with some outlandish DEV-belief, that users "have a sense of security", trained or otherwise. SSL IN ITS CURRENT FORM IS BROKEN AND HAS BEEN SINCE THE BEGINNING!!
> My CPU isn't wasting cycles when its on and idle, its sleeping, > conserving energy and generating less heat.
That's wonderful. But you're not conserving energy, the same way a car just idling in the drive-way, as opposed to actually being driven (the whole point of a car), is not exactly doing any favors for conservation/the environment.
Especially not, when that computer you're letting sleep most of the time, will be thrown in the garbage 5 years hence because, although fully functional, can't do the things you want anymore. So, to use the car analogy again, is there really something reasonable about a car being scrapped, that has only been driven for 4500 miles all in all? Me, I don't think so. It failed its designed-for purpose. Or rather the user failed to use it for its purpose.
But it's all good. You can, of course, do whatever you want with your machine(s). Even use them as nifty paperweights.:-) But me, even my old 486 is still chugging away on distributed projects. Why? Because it still works and it will do *something*, as long as it does.
> If you can detect an alien civilization, then the possibility exists of > not only being able to communicate with them, but also trade > knowledge.
I'm completely with you on that. But it's simply gonna take a while. It's simply unlikely, that the first contact will be "Contact"-style ("Jackpot!"), where we get all kinds of wonderful things sent to us right away. Chances are, we detect something at some point, and then it will take a few decades of back and forth communication, if we even have a language we can agree on and understand each other. It might even turn out, that we are the advanced guys. In that case what are we gonna do? Send 'em a ZIP'ed copy of Wikipedia?:-)
> Yeah, people keep bitching about that first weekend where a > software glitch caused the same work to be sent for the first > weekend we were in operation.
Nobody was bitching, so chill, bro! I was not aware, that this was merely a bug. My impression from back then (it's been a while) was, that there was simply not enough data from Arecibo available due to other work being done with the radioscope (is that the correct term?). If that is not an issue anymore, then great!
> And when you're not, you're contributing to one of the most > significant discoveries since fire.
All romance aside...purely from the distances involved (assuming a radio signal indicating 'intelligent life'), it would certainly be a very exciting discovery (for a while), but not necessarily 'most significant'. Until we get there (or they here)...even just by radio contact, nevermind physical, we got nothing out of it other than knowing, we're not the only guys around. And that's already a given anyway.
I remember SETI always having issues with work units. There weren't enough so a bunch of users got the same work units. Found that to be a turn-off...didn't have that cozy feeling of actually contributing anything, as with other projects. Has that been worked out?
Also, did not SETI also want to make use of the australia array? What's the status of that (haven't been following it)?
> When I'm not using the computer, just turn it off! Until the world's > energy problems are all resolved.
But why would you waste 90+ percent of your (idle) cycles when your computer is ON?
IMHO, a computer is meant to compute. And I chose for myself not to have it "compute" nonsensical screensavers, but something worthwhile to me. Enough projects exist for variety...
> For the love of everything, can we stop making shitty references to > Terminator in computational intelligence stories? There are actually > people stupid enough to believe that shit. Also, its not funny.
> Like the judge said: âoeThere are a lot of alternative ways to design a > tablet device, as the market amply shows.â
Exactly. I mean, you could make it cube-shaped, or design it for dual-use as a soccer ball. But a flat device with a screen? No way! Only Apple could ever design something as innovative...
> The SSH model works great: connect to a site once; verify the > fingerprint once if you consider a MITM to be a reasonable > concern; cache the key and know that forever after you're > connecting to the same site as you did the first time.
It works great for sites with 1 up to a few certs certs. There are distributed (Akamai-style) sites out there, that will present you a different cert with almost every page refresh! PITA... Normally hidden, since your browser will "trust" all of them anyway, but with CertPatrol etc. installed, you get an a idea just how messed up things are in the background.
The/bin/nedal rootkit binary gave it away. AQ thought, by misspelling the name nobody would notice but Ha!...security through obscurity just never works!
So why can't I paste my public GPG key into a form when I sign up to some web site? Or even just the keyID, if the key itself is on a public key server? Authentication would simply send challenge to be decrypted with private key...
Would also have the advantage in case of compromise, I could invalidate every login I have by issuing a revocation certificate (and presumably a new key signed with old key).
Slashdot Mirror
> How good of a code audit does GPG undergo? IIRC, GPG id
> largely funded by the German government.
As good as you'd like to make your audit:
ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.0.18.tar.bz2
> There would be 0% expectation of privacy with such a phone.
As opposed to....?
So what about us normal and decent folks? What options exist for us to end-to-end encrypt calls and messages (at minimum)? Anything open-source out there, that let's you do that?
> Fall back to regular HTTP then. There's no point in insecure HTTPS.
But there is a point in insecure HTTP??
> Security is the "S" in these protocols and the sole reason for their
> existence.
I know this is hard for guys like you to accept, but the much-touted "S" has become a ridiculous notion. Especially when coupled with some outlandish DEV-belief, that users "have a sense of security", trained or otherwise.
SSL IN ITS CURRENT FORM IS BROKEN AND HAS BEEN SINCE THE BEGINNING!!
Flash isn't dead until Netcraft confirms it! :-P
> My CPU isn't wasting cycles when its on and idle, its sleeping,
> conserving energy and generating less heat.
That's wonderful. But you're not conserving energy, the same way a car just idling in the drive-way, as opposed to actually being driven (the whole point of a car), is not exactly doing any favors for conservation/the environment.
Especially not, when that computer you're letting sleep most of the time, will be thrown in the garbage 5 years hence because, although fully functional, can't do the things you want anymore. So, to use the car analogy again, is there really something reasonable about a car being scrapped, that has only been driven for 4500 miles all in all? Me, I don't think so. It failed its designed-for purpose. Or rather the user failed to use it for its purpose.
But it's all good. You can, of course, do whatever you want with your machine(s). Even use them as nifty paperweights. :-)
But me, even my old 486 is still chugging away on distributed projects. Why? Because it still works and it will do *something*, as long as it does.
> If you can detect an alien civilization, then the possibility exists of
> not only being able to communicate with them, but also trade
> knowledge.
I'm completely with you on that. But it's simply gonna take a while. It's simply unlikely, that the first contact will be "Contact"-style ("Jackpot!"), where we get all kinds of wonderful things sent to us right away. Chances are, we detect something at some point, and then it will take a few decades of back and forth communication, if we even have a language we can agree on and understand each other. It might even turn out, that we are the advanced guys. In that case what are we gonna do? Send 'em a ZIP'ed copy of Wikipedia? :-)
> Yeah, people keep bitching about that first weekend where a
> software glitch caused the same work to be sent for the first
> weekend we were in operation.
Nobody was bitching, so chill, bro! I was not aware, that this was merely a bug. My impression from back then (it's been a while) was, that there was simply not enough data from Arecibo available due to other work being done with the radioscope (is that the correct term?). If that is not an issue anymore, then great!
> And when you're not, you're contributing to one of the most
> significant discoveries since fire.
All romance aside...purely from the distances involved (assuming a radio signal indicating 'intelligent life'), it would certainly be a very exciting discovery (for a while), but not necessarily 'most significant'.
Until we get there (or they here)...even just by radio contact, nevermind physical, we got nothing out of it other than knowing, we're not the only guys around. And that's already a given anyway.
I remember SETI always having issues with work units. There weren't enough so a bunch of users got the same work units. Found that to be a turn-off...didn't have that cozy feeling of actually contributing anything, as with other projects. Has that been worked out?
Also, did not SETI also want to make use of the australia array? What's the status of that (haven't been following it)?
> When I'm not using the computer, just turn it off! Until the world's
> energy problems are all resolved.
But why would you waste 90+ percent of your (idle) cycles when your computer is ON?
IMHO, a computer is meant to compute. And I chose for myself not to have it "compute" nonsensical screensavers, but something worthwhile to me. Enough projects exist for variety...
> For the love of everything, can we stop making shitty references to
> Terminator in computational intelligence stories? There are actually
> people stupid enough to believe that shit. Also, its not funny.
Affirmative!
Never had a problem with the EPUB's on the Sony PRS-650 formatting-wise.
> Why should I trust your list?
Why should you trust your (browser's) list of CA's?
> Untrusted CAs aren't included in the web browser
I LOL'ed! :-D
> The weakest link of CAs is trust.
The weakest link of trust are CA's.
TFIFY!
> > And crap like this is why I don't understand why my browser has
> > to go apeshit over self singed cirts.
> A clue about making a certificate that's worthless against MITM
> attacks? Congratulations on identifying yourself as completely
> fucking clueless.
And this as comment in an article about a compromised CA, forged "offical" and "trusted" certs...perfect for MITM's. Congratulations yourself!
> Like the judge said: âoeThere are a lot of alternative ways to design a
> tablet device, as the market amply shows.â
Exactly. I mean, you could make it cube-shaped, or design it for dual-use as a soccer ball. But a flat device with a screen? No way! Only Apple could ever design something as innovative...
> The SSH model works great: connect to a site once; verify the
> fingerprint once if you consider a MITM to be a reasonable
> concern; cache the key and know that forever after you're
> connecting to the same site as you did the first time.
It works great for sites with 1 up to a few certs certs. There are distributed (Akamai-style) sites out there, that will present you a different cert with almost every page refresh! PITA... Normally hidden, since your browser will "trust" all of them anyway, but with CertPatrol etc. installed, you get an a idea just how messed up things are in the background.
The /bin/nedal rootkit binary gave it away. AQ thought, by misspelling the name nobody would notice but Ha!...security through obscurity just never works!
It was 'Al Quaida'....obviously!
> Can't handle pork with a spoon.
Correct! That's what the spork is for. :-)
So why can't I paste my public GPG key into a form when I sign up to some web site? Or even just the keyID, if the key itself is on a public key server? Authentication would simply send challenge to be decrypted with private key...
Would also have the advantage in case of compromise, I could invalidate every login I have by issuing a revocation certificate (and presumably a new key signed with old key).
> Are you sure it wasn't a video of Highlander? Were there
> lightning and explosions when the guy was decapitated?
I don't care. I just wanna get my phone back!
> Sounds like you've been hanging out on Slashdot again, sonny.
Actually yes...I am not excluding /. from my little rant.