So it's basically carte blanche for anyone with a job in in politics, law enforcement, or prosecution to destroy the life of anyone they choose, based on nothing more than conjecture. Does anyone else find this frightening? Would the dangers of this idea be more obvious if the words "computer users" or "hackers" were replaced with the word "people"?
I ran into that same problem with Skype's latest release. Rather than giving Pulse a fourth chance to burn me, I decided it might be time to give WebRTC a try.
I'm so glad I did. OS-independent browser-to-browser video chat worked fine. I used Chromium on linux while my friend used Chrome on OSX. The latest Firefox release supposedly supports h.264, so it might work as well. Here are a couple of call set-up sites in case you'd like to try it for yourself:
No, my answer is that we are already trusting the user, a password authentication system cannot ever be more secure than that trust, and neither system can solve the problems upon which you based your assertion.
That's okay. I don't need to draw this out any further. I just wanted to unerstand how you came to your conclusion, and now I believe I do.
Can someone tell me how to get Firefox to say which protocol it's using for any given session? The Security tab has a Technical Details section that mentions "High-grade Encryption" and TLS, but it doesn't say which version of TLS.
"Very few sites (even tiny web forums and such) are willing to trust arbitrary 3rd party."
Those sites wouldn't be trusting a third party; they would be trusting the user. Specifically, they would be trusting the user not to delegate his identity to an impostor-friendly provider, just as they are now trusting the user not to re-use his password on any site that will some day have a database leak or cleartext login form. Anyone who thinks his onsite auth buys him greater security than OpenID either has some magic way to force people into choosing unique passwords, or is sadly mistaken. I'll let you guess which is more likely.:)
I'm curious where you got the "very few" metric. Anecdotal evidence? A study with a large and diverse sample size? If you have some study results, I'd like to bookmark them. I guess it would just go to show that very few admins have a good understanding of overall security.
"There are other problems, like ensuring unique, non-spam/bot users, that can't be done with remote authentication"
Local password authentication can't solve those problems either. Bot and spam problems are solved by other means, like captchas and request rate throttles. Sane sites do this when an account is created, not every time a known-good user wants to log in. Some really careful sites take additional steps during login (like click/request/response timing), but those steps are invisible to the user and can be applied regardless of whether a local password is used.
"We do, it's called Open ID, which is what Google leverages for their single-signon (not sure if FB is their own solution or not). It was a really popular thing about 5-10 years ago and got a ton of attention. I think even MS enabled it."
OpenID 2.0 accomplished something very cool: allowing a user to use any ID provider for authentication on any compatible web site, even if the two sites had never heard of one another. Unfortunately, it has two major problems:
It's too complex to easily implement. This became less of a problem once OpenID libraries like Janrain's emerged, but there are still subtle details left up to website developers to get right, and since many of them don't bother, a lot of sites that supposedly accept OpenID actually fail with some providers.
Perhaps more importantly, the URL-based IDs are not user-friendly enough for non-geeks. Several high-profile sites tried to solve this problem by replacing* the OpenID URL input box with a simple button for each well-known provider, but that meant limiting the user's choices of provider. At that point, the distinguishing feature of OpenID was lost, so lots of sites chose the simpler-to-implement OAuth 2 instead. The Login with Facebook service is one of them. Even Google eventually deprecated their OpenID service.
In my opinion, the issue of relying parties not trusting someone else as an identity provider was not such a big deal; certainly not enough to have killed OpenID. For every such distrustful site, there are dozens more simple web forums and the like that would be happy to get rid of their password database.
*stackexchange is a notable exception; they still offer the input box if you click a link.
I wish it was enough to have a phone that runs my apps just fine today, and simply stick with those apps. Sadly, my experience has been that I have to upgrade those apps every so often (even if only for security patches), and when I do, most of them are larger and run slower on my now-older phone. After a couple years of upgrades, those same apps now fill all of my phone's storage space, and many run like molasses. My phone is now painfully slow at doing the same things that worked fine when I bought it, even after a factory reset and app re-install. Lesson learned: the next phone I buy is going to need high-end specs if it's going to keep running well for more than a year or so.
I have a low power NAS box with a large hard drive. I replaced the stock firmware with debian. It serves all my shared files (linux ISOs, music, etc.) and runs all my network services (CalDAV, CardDAV, etc.). I periodically run backups to an external drive, which remains powered down and disconnected most of the time, and can be swapped with an off-site backup drive.
Gigabit ethernet connects all my stationary computers and phones. An old wifi base station connects the mobile devices. A wired-only router sits between my LAN and my modem.
I outgrew the desire for lots of computers and big network hardware long ago. That stuff just takes up space, wastes power, and generates heat. I get much more satisfaction from cool, quiet, efficient systems nowadays.
Seriously, ask her. Show her a couple of options that you're willing to support, point out the differences from her old desktop, and let her choose.
I recommend something with an OSX dock-style launcher, perhaps Unity (with appropriate privacy tweaks) or Avant Window Navigator. I got a 70-year-old to switch from Windows to Ubuntu/Unity in under an hour, with very few follow-up questions.
It might also be helpful to give her a linux distribution that you use regularly, so any support you have to do in the future will be in a familiar environment.
I prefer open source over a black box mainly to avoid two problems: unverifiable security and abandonware. If Ubiquiti can convincingly show that all security holes are patched before or promptly after someone discovers them, and continue to do so until I no longer have use for the product, then I'm fine with proprietary. I don't know know how they would accomplish the former, though, and so few companies choose to do the latter that I'm skeptical.
I don't care a lick about a facebook app and 49 games. Please sell me a compact, reasonably lightweight, open source phone with a good web browser, a good offline sat-nav app, and regular security updates.
The Ubiquiti stuff looks pretty sweet, but I don't think EdgeOS is open source. What's their track record of bringing updates to old products? Can anyone outside of Ubiquiti audit the code?
I'm among the many who have built up a healthy aversion to certain software after having been repeatedly burned by Pulse. I would not have chosen systemd. That said, I have tremendous respect for the Debian team, and am optimistic that the worst of the problems we find with their choice will be addressed within a couple of years. Let's get the bickering out of our systems quickly, and move on to helping one another turn the new init into something genuinely good.
No, VOIP still sucks. Cellular sucks. Cellular plus VOIP really sucks.
Eh. POTS worked okay for me most of the time, except when wet weather made call quality worse than normal. VoIP works well for me most of the time, except when a bad route makes call quality worse than normal. At least VoIP gives me more alternatives with which to work around a problem, and is a hell of a lot cheaper. I look forward to the day when better codecs (on both VoIP and cellular) and encryption raise the "normal" bar, for basically no cost.
make sure you include a neutral to all of your wall switch boxes.
This is a good idea even if you don't plan on automating anything. With a neutral at each of your switch boxes you can install all sorts of electronic gadgets, including trailing edge dimmers, which are much more friendly to LED and other modern lighting systems than the dimmers that work without a neutral.
If you believe Pulse is rock solid or used by the entire world, I can only imagine that you don't get out much. The rest of your comment seems to be responding to something that I didn't write, so I guess I'll ignore it.
Replies like yours make me wish the reply button was disabled until you actually read and understood the comment to which you were replying. You obviously did not.
After having repeatedly run into the limitations of SysV init, I'm all for replacing it with something smarter, but I'm torn between these two.
I've used Upstart on Ubuntu, both as an admin and as a developer. I like that the commands and configuration files are clean and pretty easy to understand. A few things bother me, though:
The model of starting all dependent services when their dependencies start is backwards. I don't necessarily want init to launch every daemon under the sun the moment I mount their data filesystem. I'd rather have it mount the required filesystem when I ask for a particular daemon to start.
As of a year or so ago, the documentation was mainly an incomplete bunch of blog posts. Once I found them, it was pretty easy to configure daemons that behaved like the venerable ones that are often used as examples, but it was difficult to learn how to match Upstart's features (some of which are undocumented) and events (also largely undocumented) with an unusual service's behavior
Debugging was difficult, mainly because so few events are well documented and it's not always clear which of Upstart's features are implemented in in any given version. (I hear the latest release offers some event tracing tools that would improve this.)
I haven't used Systemd at all, but the common points that come up again and again in every writeup I encounter have me forming me some opinions already. I really like the idea of the load-as-needed dependency model. A few things have me quite worried about the implementation, though:
Configuration is reportedly difficult to understand. That always leads to frustrating, time-wasting, messy problems.
The code is reportly rather complex. That usually leads to chronically buggy software, which is not what I want in a process as important as init. It also tends to hamper portability, which could make Systemd a poor candidate for replacing init on other unixes, which would relegate it to being yet another OS-specific hassle for coders and admins all over the world. I'd prefer something that could reasonably be adopted everywhere, or at least by most of the operating systems I have to administer, even if a few features weren't available on every platform
I recently learned that the guy behind Systemd is the same guy who brought us PulseAudio. I don't want to get off topic here, but this gives me little hope that Systemd will ever work well outside the lead developers' development machines. (Pulse is around 10 years old now, and every time I give it another chance, it proves itself intolerable.)
Slashdot Mirror
"Democrats and republicans can twist any topic to be a battle between democrats and republicans."
FTFY. :)
So it's basically carte blanche for anyone with a job in in politics, law enforcement, or prosecution to destroy the life of anyone they choose, based on nothing more than conjecture. Does anyone else find this frightening? Would the dangers of this idea be more obvious if the words "computer users" or "hackers" were replaced with the word "people"?
I ran into that same problem with Skype's latest release. Rather than giving Pulse a fourth chance to burn me, I decided it might be time to give WebRTC a try.
I'm so glad I did. OS-independent browser-to-browser video chat worked fine. I used Chromium on linux while my friend used Chrome on OSX. The latest Firefox release supposedly supports h.264, so it might work as well. Here are a couple of call set-up sites in case you'd like to try it for yourself:
https://opentokrtc.com/
https://vline.com/
No, my answer is that we are already trusting the user, a password authentication system cannot ever be more secure than that trust, and neither system can solve the problems upon which you based your assertion.
That's okay. I don't need to draw this out any further. I just wanted to unerstand how you came to your conclusion, and now I believe I do.
Can someone tell me how to get Firefox to say which protocol it's using for any given session? The Security tab has a Technical Details section that mentions "High-grade Encryption" and TLS, but it doesn't say which version of TLS.
Can you link to the documentation for this? I'm too lazy to search for it right now. :)
Those sites wouldn't be trusting a third party; they would be trusting the user. Specifically, they would be trusting the user not to delegate his identity to an impostor-friendly provider, just as they are now trusting the user not to re-use his password on any site that will some day have a database leak or cleartext login form. Anyone who thinks his onsite auth buys him greater security than OpenID either has some magic way to force people into choosing unique passwords, or is sadly mistaken. I'll let you guess which is more likely. :)
I'm curious where you got the "very few" metric. Anecdotal evidence? A study with a large and diverse sample size? If you have some study results, I'd like to bookmark them. I guess it would just go to show that very few admins have a good understanding of overall security.
Local password authentication can't solve those problems either. Bot and spam problems are solved by other means, like captchas and request rate throttles. Sane sites do this when an account is created, not every time a known-good user wants to log in. Some really careful sites take additional steps during login (like click/request/response timing), but those steps are invisible to the user and can be applied regardless of whether a local password is used.
OpenID 2.0 accomplished something very cool: allowing a user to use any ID provider for authentication on any compatible web site, even if the two sites had never heard of one another. Unfortunately, it has two major problems:
In my opinion, the issue of relying parties not trusting someone else as an identity provider was not such a big deal; certainly not enough to have killed OpenID. For every such distrustful site, there are dozens more simple web forums and the like that would be happy to get rid of their password database.
*stackexchange is a notable exception; they still offer the input box if you click a link.
I think I'm glad to read this news, especially right now, because it might motivate someone to develop a better alternative.
I'd like to see something like this:
I wish it was enough to have a phone that runs my apps just fine today, and simply stick with those apps. Sadly, my experience has been that I have to upgrade those apps every so often (even if only for security patches), and when I do, most of them are larger and run slower on my now-older phone. After a couple years of upgrades, those same apps now fill all of my phone's storage space, and many run like molasses. My phone is now painfully slow at doing the same things that worked fine when I bought it, even after a factory reset and app re-install. Lesson learned: the next phone I buy is going to need high-end specs if it's going to keep running well for more than a year or so.
Could a domain owner be their own trusted third party?
I have a low power NAS box with a large hard drive. I replaced the stock firmware with debian. It serves all my shared files (linux ISOs, music, etc.) and runs all my network services (CalDAV, CardDAV, etc.). I periodically run backups to an external drive, which remains powered down and disconnected most of the time, and can be swapped with an off-site backup drive.
Gigabit ethernet connects all my stationary computers and phones. An old wifi base station connects the mobile devices. A wired-only router sits between my LAN and my modem.
I outgrew the desire for lots of computers and big network hardware long ago. That stuff just takes up space, wastes power, and generates heat. I get much more satisfaction from cool, quiet, efficient systems nowadays.
Seriously, ask her. Show her a couple of options that you're willing to support, point out the differences from her old desktop, and let her choose.
I recommend something with an OSX dock-style launcher, perhaps Unity (with appropriate privacy tweaks) or Avant Window Navigator. I got a 70-year-old to switch from Windows to Ubuntu/Unity in under an hour, with very few follow-up questions.
It might also be helpful to give her a linux distribution that you use regularly, so any support you have to do in the future will be in a familiar environment.
Thankfully, not everyone in the world is as eager as you to accept the status quo and discourage progress.
I prefer open source over a black box mainly to avoid two problems: unverifiable security and abandonware. If Ubiquiti can convincingly show that all security holes are patched before or promptly after someone discovers them, and continue to do so until I no longer have use for the product, then I'm fine with proprietary. I don't know know how they would accomplish the former, though, and so few companies choose to do the latter that I'm skeptical.
That's pretty much what people used to say about Mac users.
I don't care a lick about a facebook app and 49 games. Please sell me a compact, reasonably lightweight, open source phone with a good web browser, a good offline sat-nav app, and regular security updates.
The Ubiquiti stuff looks pretty sweet, but I don't think EdgeOS is open source. What's their track record of bringing updates to old products? Can anyone outside of Ubiquiti audit the code?
I'm among the many who have built up a healthy aversion to certain software after having been repeatedly burned by Pulse. I would not have chosen systemd. That said, I have tremendous respect for the Debian team, and am optimistic that the worst of the problems we find with their choice will be addressed within a couple of years. Let's get the bickering out of our systems quickly, and move on to helping one another turn the new init into something genuinely good.
Eh. POTS worked okay for me most of the time, except when wet weather made call quality worse than normal. VoIP works well for me most of the time, except when a bad route makes call quality worse than normal. At least VoIP gives me more alternatives with which to work around a problem, and is a hell of a lot cheaper. I look forward to the day when better codecs (on both VoIP and cellular) and encryption raise the "normal" bar, for basically no cost.
...a programming language (still) doesn't have to be good in order to see widespread use.
This is a good idea even if you don't plan on automating anything. With a neutral at each of your switch boxes you can install all sorts of electronic gadgets, including trailing edge dimmers, which are much more friendly to LED and other modern lighting systems than the dimmers that work without a neutral.
If you believe Pulse is rock solid or used by the entire world, I can only imagine that you don't get out much. The rest of your comment seems to be responding to something that I didn't write, so I guess I'll ignore it.
Replies like yours make me wish the reply button was disabled until you actually read and understood the comment to which you were replying. You obviously did not.
After having repeatedly run into the limitations of SysV init, I'm all for replacing it with something smarter, but I'm torn between these two.
I've used Upstart on Ubuntu, both as an admin and as a developer. I like that the commands and configuration files are clean and pretty easy to understand. A few things bother me, though:
I haven't used Systemd at all, but the common points that come up again and again in every writeup I encounter have me forming me some opinions already. I really like the idea of the load-as-needed dependency model. A few things have me quite worried about the implementation, though: