Oh for the love of... "always assume that government officials are assholes. Do what they ask, obey their orders, don't be a smartass - as a result, you will generally speaking be OK."
What? You gotta be shitting me. Government officials are there for you, for fsck's sake! There is no way you should acknowledge they are "assholes" and hence play along!
Look, I come from a nation that had to fightwith"governments"severaltimes. I have the privilege to live in a free country now, but I remember that this privilege took a lot of blood - and tears. "The price of freedom is eternal vigilance", right? That also means "no playing along with assholes in the government agencies".
Come on, America. You used to be cool. Seriously, do you need an occupation or something to get your act together on this?..
It might even work, you know. In 70's and 80's, while fighting our own communist regime in Poland, to help people that carried flyers and other (illegal) prints, lots of people wore backpacks, even when they didn't need them. This way the SB ("Security Service", secret police) had a hard time finding the 1 in 100 that actually had illegal flyers inside.
Maybe the ads should be loaded by JavaScript, AFTER the site's content is loaded? This way it starts to be the ad vendor's problem to get the ads there fast, *before* user clicks on something else.
For those users that do not use JS, the ads might be in iframes, so that they still load after the website's content, and asynchronously (as somebody already pointed out).
What would be a case where you want to encrypt data that's transmitted and also not care that it may be intercepted, and/or altered by a "man in the middle"? Without proper authentication, how can you ensure that you're communicating with the correct site, and if you don't care, why bother encrypting?
It's not about not caring at all; it's about how much you care.
Look at it this way: every cipher can be broken by bruteforce - it just takes time/computing power. You are happy to use SSL certs with what, 128bit keys? Once people used 40-bit and 56-bit keys and thought they were "safe". Why not use 1024-bit keys for your banking? It's safer, and so much harder to break by bruteforce! Why stop at 128bits?
Why not 10240? 20480? Why 128bit is AOK, when there are safer ways to communicate (simply enlarging the key gives you one).
Same here - the data is valuable enough to be encrypted in order to try and avoid casual eavesdroppers (like script kiddies, ARP-poisoning the network); it's not valuable enough, though, to shell out $$$ for a proper, CA-signed certificate to handle targeted MITM attacks.
It's not a question of "safety - no safety"; it's a question of level of that safety. Same as with those 40-, 56-, 128- and 1024-bit keys...
P.S.
I am willing to bet this will get a dozen "tl;dr" responses. Ah, well.
But they don't need to make a copy to listen in. Without authentication, your #1 connection encryption is almost pointless, as anyone in between can do an automated MITM attack.
They don't need to clone your website or anything fancy or pre-planned. They just relay all your HTTP requests to the real site, and log the data.
Yes, that's true; but then again, it will save the data from being eavesdropped by script kiddies/government agencies by simple means of ACK poisoning or plain listening-in to the HTTP stream (i.e. on a hubbed network, or on a wireless unencrypted one).
Even an automated MITM attack requires a some kind of proxy to be set-up. Now, I do realise that it's not that hard and it may happen quite often (i.e. in internet cafes, hotel networks, etc.); but believe me, there are dosens of situations in which the #1 encryption option is really enough. And Firefox (or, for that matter any other browser) bitching about self-signed certs are a PITA Royale in those.
Idea (probably somebody posted this on/. someday already): why not use something along the lines of what SSH is doing - handshake, store the key, bitch when the key changes? If it's good enough for us sysadmins (with miniscule chance of MITM when you ssh for the very first time on a given server from a given client machine), it's good enough for SSL on most small-to-medium sized websites, isn't it?
There are basically two reasons to use SSL:
1. connection encryption (i.e. nobody else can read the transmission);
2. site authentication (i.e. you can be certain that this page is actually your bank's website).
See, here's the problem. Many a time I need to put up encryption, but have no need whatsoever for authentication (sending data like passwords or whatever, but not that critical to be a target of somebody setting up a bigus copy). Firefox says "whatever", and proceeds to complain about 2. above not being satisfied. And complain loud!
Something's wrong in this image. I think there should be 2 classes of SSL certs - "encryption-only" and "full-mode", or whatever they'd be called. the "encryption-only" cert could allow you to use SSL without warnings; the "full-mode" cert wouldn't. The icon or other graphical method of identifying "trusted sites" could even be completely different for both modes.
The problem is not that there is no package manager, automagically updating the packages; the problem is, on Adobe Reader's official download page there is an outdated version featured. So everybody that get's directed to that page through google search or whatever, dowanloads and installs an unpatched, vulnerable and exploitable version.
Cheers
You can do the same with Bluetooth and you mobile - I bet the netbook in question has Bluetooth. For Linux, there's KBlueMon (and some GTK equivalent), it let's you define the Bt devices that need to be in range; if they're not, it locks the machine. I am sure there must be something like this for Windows.
I see electronic voting as a possible way of getting back to direct democracy. It was possible in Teh Good Ole Days of Teh Greeks, because there weren't many people voting; it was logistically impossible afterwards (too much people would need to voice their opinions at the same issue at the same time), so representative democracy was invented - this way a whole lotta people needed to voice their opinion only once per a few year term, and rest of the decisions were made by the elected few.
Now, we all know how that worked...
Electronic voting (and I mean voting through the Intertubes, not at electronically equipped polling stations) gives us possibility to get back to the root idea. No more "government shills" and the like (it has it's deficiencies too, though - like "idiocracy").
Now, of course it would need a lot of thought to implement it The Right Way - good encryption, paper trail (e.g. "print your vote, sign it and mail it"), etc. But at least gives a hope that guys like sen. Stevens won't get into their warm positions...
Nope. It's more like:
"Open source = code visibility", so that anybody is able to spot the bugs and fix them. This embiggens hugely chances that somebody will spot the bugs, and that somebody will fix them (as you have a potentially much larger dev base); but then again, it doesn't mean that - magically - "security will happen" just because it's OpenSource.
Also, I think you should be moderated "Troll"; but that would make this post "Redundant". Ah, well.
This might come in handy for those of you that would like to do something about those id10ts:
"I have come across a statement on Your website, stating:
"DO NOT use FIREFOX or other Browsers besides IE. It has been decided that Mozilla based, non-IE browsers pose a security risk."
Here's the thing: Development of Internet Explorer has been absolutely stagnant for a decade, to a point where it actually became a synonym for "insecure". But don't take my word for it, let's have a look at Secunia (a great website, tracking bugs in popular software).
1. every single version of Firefox has less unpatched advisories than
every single version of IE; 2. every single version of Firefox has less overall advisories than every
single version of IE; 3. every single version of Firefox has less (percent-wise) unpatched
advisories than every single version of IE; 4. every single version of Firefox has a less critical rating than every
single version of IE;
Hence - how exactly have you come to the conclusion that Firefox is less secure? It's IE that poses security risks, and its worse than Firefox by leaps and bounds!
I must consider dispersing such information about browsers as you do as utterly irresponsible."
Thirded! I, for one, am a Philosophy student, but a Linux/FLOSS hobbyist for a few years (had - and administered - my own home Debian server during most of those). Two years ago I got a job as a sysadmin at a small R&D lab at Warsaw University of Technology (yes, I still work there).
Caveat 1: they've been looking for a student, degree in IT was not listed as a requirement.
Caveat 2: I live in Poland, so YMMV.
Slashdot Mirror
Oh for the love of... "always assume that government officials are assholes. Do what they ask, obey their orders, don't be a smartass - as a result, you will generally speaking be OK."
What? You gotta be shitting me. Government officials are there for you, for fsck's sake! There is no way you should acknowledge they are "assholes" and hence play along!
Look, I come from a nation that had to fight with "governments" several times. I have the privilege to live in a free country now, but I remember that this privilege took a lot of blood - and tears. "The price of freedom is eternal vigilance", right? That also means "no playing along with assholes in the government agencies".
Come on, America. You used to be cool. Seriously, do you need an occupation or something to get your act together on this?..
It might even work, you know. In 70's and 80's, while fighting our own communist regime in Poland, to help people that carried flyers and other (illegal) prints, lots of people wore backpacks, even when they didn't need them. This way the SB ("Security Service", secret police) had a hard time finding the 1 in 100 that actually had illegal flyers inside.
Maybe the ads should be loaded by JavaScript, AFTER the site's content is loaded? This way it starts to be the ad vendor's problem to get the ads there fast, *before* user clicks on something else. For those users that do not use JS, the ads might be in iframes, so that they still load after the website's content, and asynchronously (as somebody already pointed out).
Mod parent up! That's *precisely* the point!
two words for you: "root access".
on Android you have to bend over backwards to gain it (unless there is a fsckup with text message editor, heh); on maemo its:
$ sudo gainroot
#
Android is almost as closed as iPhone...
Poland, too. Downloading is perfectly legal under something very similar to fair use here - uploading/distributing isn't legal.
What would be a case where you want to encrypt data that's transmitted and also not care that it may be intercepted, and/or altered by a "man in the middle"? Without proper authentication, how can you ensure that you're communicating with the correct site, and if you don't care, why bother encrypting?
It's not about not caring at all; it's about how much you care.
Look at it this way: every cipher can be broken by bruteforce - it just takes time/computing power. You are happy to use SSL certs with what, 128bit keys? Once people used 40-bit and 56-bit keys and thought they were "safe". Why not use 1024-bit keys for your banking? It's safer, and so much harder to break by bruteforce! Why stop at 128bits?
Why not 10240? 20480? Why 128bit is AOK, when there are safer ways to communicate (simply enlarging the key gives you one).
Same here - the data is valuable enough to be encrypted in order to try and avoid casual eavesdroppers (like script kiddies, ARP-poisoning the network); it's not valuable enough, though, to shell out $$$ for a proper, CA-signed certificate to handle targeted MITM attacks.
It's not a question of "safety - no safety"; it's a question of level of that safety. Same as with those 40-, 56-, 128- and 1024-bit keys...
P.S.
I am willing to bet this will get a dozen "tl;dr" responses. Ah, well.
But they don't need to make a copy to listen in. Without authentication, your #1 connection encryption is almost pointless, as anyone in between can do an automated MITM attack. They don't need to clone your website or anything fancy or pre-planned. They just relay all your HTTP requests to the real site, and log the data.
Yes, that's true; but then again, it will save the data from being eavesdropped by script kiddies/government agencies by simple means of ACK poisoning or plain listening-in to the HTTP stream (i.e. on a hubbed network, or on a wireless unencrypted one).
/. someday already): why not use something along the lines of what SSH is doing - handshake, store the key, bitch when the key changes? If it's good enough for us sysadmins (with miniscule chance of MITM when you ssh for the very first time on a given server from a given client machine), it's good enough for SSL on most small-to-medium sized websites, isn't it?
Even an automated MITM attack requires a some kind of proxy to be set-up. Now, I do realise that it's not that hard and it may happen quite often (i.e. in internet cafes, hotel networks, etc.); but believe me, there are dosens of situations in which the #1 encryption option is really enough. And Firefox (or, for that matter any other browser) bitching about self-signed certs are a PITA Royale in those.
Idea (probably somebody posted this on
There are basically two reasons to use SSL:
1. connection encryption (i.e. nobody else can read the transmission);
2. site authentication (i.e. you can be certain that this page is actually your bank's website).
See, here's the problem. Many a time I need to put up encryption, but have no need whatsoever for authentication (sending data like passwords or whatever, but not that critical to be a target of somebody setting up a bigus copy). Firefox says "whatever", and proceeds to complain about 2. above not being satisfied. And complain loud!
Something's wrong in this image. I think there should be 2 classes of SSL certs - "encryption-only" and "full-mode", or whatever they'd be called. the "encryption-only" cert could allow you to use SSL without warnings; the "full-mode" cert wouldn't. The icon or other graphical method of identifying "trusted sites" could even be completely different for both modes.
The problem is not that there is no package manager, automagically updating the packages; the problem is, on Adobe Reader's official download page there is an outdated version featured. So everybody that get's directed to that page through google search or whatever, dowanloads and installs an unpatched, vulnerable and exploitable version. Cheers
You can do the same with Bluetooth and you mobile - I bet the netbook in question has Bluetooth. For Linux, there's KBlueMon (and some GTK equivalent), it let's you define the Bt devices that need to be in range; if they're not, it locks the machine. I am sure there must be something like this for Windows.
I beg to differ.
I see electronic voting as a possible way of getting back to direct democracy. It was possible in Teh Good Ole Days of Teh Greeks, because there weren't many people voting; it was logistically impossible afterwards (too much people would need to voice their opinions at the same issue at the same time), so representative democracy was invented - this way a whole lotta people needed to voice their opinion only once per a few year term, and rest of the decisions were made by the elected few.
Now, we all know how that worked...
Electronic voting (and I mean voting through the Intertubes, not at electronically equipped polling stations) gives us possibility to get back to the root idea. No more "government shills" and the like (it has it's deficiencies too, though - like "idiocracy"). Now, of course it would need a lot of thought to implement it The Right Way - good encryption, paper trail (e.g. "print your vote, sign it and mail it"), etc. But at least gives a hope that guys like sen. Stevens won't get into their warm positions...
Nope. It's more like:
"Open source = code visibility", so that anybody is able to spot the bugs and fix them. This embiggens hugely chances that somebody will spot the bugs, and that somebody will fix them (as you have a potentially much larger dev base); but then again, it doesn't mean that - magically - "security will happen" just because it's OpenSource.
Also, I think you should be moderated "Troll"; but that would make this post "Redundant". Ah, well.
"...interview with security expert Joanna Rutkowska (which is unfortunately split over 9 pages)"
Why oh why did they split Joanna into 9 pages?! Thats so cruel!
Also, First Post
This might come in handy for those of you that would like to do something about those id10ts:
"I have come across a statement on Your website, stating:
"DO NOT use FIREFOX or other Browsers besides IE. It has been decided that Mozilla based, non-IE browsers pose a security risk."
Here's the thing:
Development of Internet Explorer has been absolutely stagnant for a decade, to a point where it actually became a synonym for "insecure". But don't take my word for it, let's have a look at Secunia (a great website, tracking bugs in popular software).
Internet Explorer 6:
unpatched : 16% (22 of 135 advisories);
highest rated : moderately critical;
http://secunia.com/advisories/product/11/
Internet Explorer 7:
unpatched : 26% (9 of 34 advisories);
highest rated : moderately critical;
http://secunia.com/advisories/product/12366/
Mozilla Firefox 2.0.x:
unpatched : 10% (3 of 29 advisories);
highest rated : less critical;
http://secunia.com/advisories/product/12434/
Mozilla Firefox 3.x:
unpatched : 9% (1 of 11 advisories);
highest rated : less critical;
http://secunia.com/advisories/product/19089/
So:
1. every single version of Firefox has less unpatched advisories than
every single version of IE;
2. every single version of Firefox has less overall advisories than every
single version of IE;
3. every single version of Firefox has less (percent-wise) unpatched
advisories than every single version of IE;
4. every single version of Firefox has a less critical rating than every
single version of IE;
Hence - how exactly have you come to the conclusion that Firefox is less secure? It's IE that poses security risks, and its worse than Firefox by leaps and bounds!
I must consider dispersing such information about browsers as you do as utterly irresponsible."
Thirded! I, for one, am a Philosophy student, but a Linux/FLOSS hobbyist for a few years (had - and administered - my own home Debian server during most of those). Two years ago I got a job as a sysadmin at a small R&D lab at Warsaw University of Technology (yes, I still work there). Caveat 1: they've been looking for a student, degree in IT was not listed as a requirement. Caveat 2: I live in Poland, so YMMV.