All they had to do was accept the cert and they would have been protected. Only because neither you nor someone else had a MITM waiting for him. In general, the safe thing to do would be to not use the site until the cert's fingerprint could be verified with the operator in person or via secure email.
Phishing sites have used signed certificates as well. But their cert won't match the domain name that their intended victims are trying to access, so the browser will throw up a warning.
You pretty much have to ignore both the cert warnings or the domain spelling in order to be a phishing victim. That requires rank carelessness or ignorance on the users' part; In the latter case, it is important that users become educated about the issue by techies less cynical than yourself.
The only ways to really tell with a self-signed cert is to 1) personally get a copy of the cert from the site's operators; or 2) lookup the site's fingerprint from an independent channel you trust and check it against the fingerprint your browser shows when you click on the lock icon.
But I think you should remember that the warning dialog actually provides an opportunity for the user to import self-signed certificates.
Rather, if more sites simply made a habit of posting their cert's fingerprint elsewhere on and off site, then people could make the most effective use of self-signed certs with the current browser behavior in place.
However, that is why Https security has to stand on a 'tripod' from the users' point of view:
1) The lock icon appears in the address bar (while a picture of a lock on the page doesn't count).
2) The domain name in the address bar is spelled correctly (because the lock is saying that the cert 'matches' the domain).
3) No certificate warnings appear from your browser.
If any one of those 'legs' is missing, then assurance of link security falls down. Otherwise (barring your computer being infected/compromised, or having a massive bug) you can be sure the link is both solid and also not a phishing site.
He is spreading misinformation. The Internet and its security mechanisms were never meant to verify real-world identity (whatever that means: photo, street address, SSN?) or good intentions. Yet SSL does, however, validate the site's Internet identity... it ensures that the domain name you see in your address bar represents the actual server(s) registered to that domain name. As others here already pointed out, this prevents MITM attacks.
Thus, when you conduct critical business on the Internet, it is important to get the service's URL right from the horse's mouth. Otherwise a slightly-misspelled domain could amount to an attack of a different kind.
Self-signed certs are OK if you have a decent way to distribute the certs to others. For instance, if you can get the cert's fingerprint listed on various other sites... people can then check the fingerprint through alternate channels of the cert they downloaded and imported into their browser/client. Distributing in-person among trusted individuals also works.
OTOH, having a domain name mismatch would make me doubt whether the link could stand up to MITM attacks or if the cert I received wasn't a fake. Perhaps verifying the fingerprint is enough to satisfy most people, but for me it raises doubts about the site's technical ability.
No you're right about NTFS. I was thinking in terms of general use on Linux, which is my general-purpose OS.
As for mapping *nix stuff to NTFS: I thought that Linux required that xattr's be turned on in the filesystem in order to support ACLs, in which case tar should be able to handle ACLs at least on the Linux side. It would not be much of a stretch to have tar store NTFS ACLs using the same extended attributes as on Linux. (or is that too kludgy?)
After reading around a bit, tar doesn't handle ACLs on its own (though it easily could with a small change). A variant called 'star' is currently required.
tar is still a good choice. combined with sfdisk for storing/restoring partition structure, and you have functionality similar to ghost. In fact, I'd say that later versions of ghost stopped behaving like an allocated-block copier and began acting like a file archiver that was able to remember/restore partition parameters.
I disagree. Continuous spinning and continuous writing for days are two very different things.
YMMV but I've found that drives get much hotter writing sequentially for very long stretches than they would with lots of seeking (and its almost a certainty that caching will be reducing seeking anyway).
The 'partimage' program is. You could also check out 'g4l' which is the same idea.
In any case where you have 80+ GB partitions that are mostly empty, which is most of the time, dd results in wait times (and space requirements on the destination) that are simply unacceptable and a huge waste IMO. The drives will also tend to become rather warm and stay that way for too long.
Combining a bookmarking / chaching service would be really handy. Install the Scrapbook add-on for Firefox, which does exactly that. You can save URLs, pages, sets of linked pages, and/or selected areas simply by right-clicking and selecting 'Capture'.
The pages are saved in a folder of your choosing, can be organized in a hierarchy and also searched and viewed using the add-on; It even has a feature to 'refresh' a saved paged from its URL, or just send you to the page's original URL.
Finally, it has a quick element editor that lets you remove page elements, add 'sticky' notes and keywords, and combine multiple pages into one.
Not what parent said; if we don't burn a barrel of oil because we have Magic Fairy Dust (tm), that barrel will just get burned by someone else. At least for the foreseeable future. Oh, technology is suddenly "Magic Fairy Dust"? Am I conversing with a Luddite on Slashdot of all places?
And actually the GP did strongly imply that any consumption on our part will simply be taken up by other people. So not consuming petroleum (because of biofuel, or electric cars, or the subway, or greater efficiency, or just staying home) is bad using his logic. Those things will all lower gas prices for someone else so efforts to consume less are futile.
And "global cap-and-trade"? Are you kidding? Good luck getting every nation in the world to agree to that system. Good luck getting just China to agree to that system. Good luck getting everyone bound by that system to stop bickering over what their caps should be. And good luck having such a system function as it's actually intended to. Cynicism isn't a constructive trait. The Montreal protocol lowered CFC emissions so I don't think that level of negativity is warranted.
Getting the entire world to agree on a complicated system simultaneously is not a good way to solve world problems. Actually the world (sans USA) has been easing into it for years now. That's that Kyoto, which ends in 2012, was for.
Even if that problem would actually be solved by them doing so. The US has made greater progress on its would-be Kyoto goals than any Kyoto nation - and we didn't even sign the thing. Now THAT would be an interesting link to read. Though somehow I doubt one is forthcoming...
Re:Why would you replace Xandros with Ubuntu?
on
Ubuntu Eee Goes Gold
·
· Score: 1
Uh,check you timeline there. The EU case was almost TWO YEARS after the MSFT/Xand deal. And two years is a long time in the software world to be stuck with a product that can't integrate because MSFT won't give you access to the protocols. The EU had already sanctioned MS back in 2004. The court case was filed to force MS' hand to either provide documentation or pay-up.
Even if your timeline were true (which it isn't), that excuses Xandros claiming Linux belongs to Microsoft how?
As someone who used Xandros from the Corel 1.0 days right through 4.0, it is not a matter of being "GPL pure". Xandros backed MS' vague claim that Linux contains MS intellectual property, but apparently you don't much care about MS efforts criminalizing over 90% of the Linux community.
"Free choice: it's a good thing."
Uh... yeah. Why then does Steve Ballmer say that people not choosing Novell or Xandros are opening themselves to litigation from Microsoft?
Gosh, it must be "freedom".
Re:Why would you replace Xandros with Ubuntu?
on
Ubuntu Eee Goes Gold
·
· Score: 1
Xandros HAD to sign that deal with MSFT or they would have been toast. You see Xandros is mainly sold as a "plays nice with Windows" solution,which means they HAVE to have Exchange and Active Directory support. At the moment when the EU handed MS its *ss and fined them over a $billion for not properly documenting and opening their protocols?
That seems like a stretch that they "had to". In any case, their poor judgement and greed led them to claim Linux code for MS and themselves... there really is no excuse for Xandros whatsoever in trying to cast the rest of us as criminals.
Parent is trolling but I'll reply anyway.
And since oil is a fungible commodity, the oil you "replaced" will simply be sold off and burned by someone else... So all substitutes and methods of reducing emissions are futile, eh? Or had it occurred to you that they are not being developed in a vacuum; that they just might be effective with a global cap-and-trade system?
And FYI, switchgrass and other cellulose feedstocks are being developed in order to address the land use and runoff problems.
I'll stop 'preaching' to you now and let you get back to your "facts".
Re:Why would you replace Xandros with Ubuntu?
on
Ubuntu Eee Goes Gold
·
· Score: 4, Informative
As a long-time Xandros user who moved to Kubuntu, I have a good idea of what the trade-offs are:
1) Ubuntu will have much more software, and it will be much newer. With Xandros, you may find yourself looking for 'backports' and other specially-packaged versions of software that is otherwise commonly available under Debian and Ubuntu.
2) Xandros' integration with Samba really works, whereas the K/Ubuntu integration has never worked for me. I later learned that NFS is far better/easier for sharing so this became irrelevant.
3) Ubuntu has more drivers owing to the newer kernel and other packages, but the hardware that Xandros does support tends to get configured somewhat better. Advantage here goes to Ubuntu because now that the distro is tailored for the Eee PC in particular: USB add-ons will be better suported than with the pre-installed OS.
4) Xandros updates the OS extremely infrequently. You could wait a year or more for ANY security updates to come through.
5) Xandros' File Manager app is very nice but got increasingly flaky and slow over the years.
6) Xandros Inc. said they were switching their focus to servers a couple years ago.
The final straw for me which insured I'll never go back to Xandros is that they signed a Novell-like dreaded deal with Microsoft. Xandros thinks that by using Linux (not just their distro) you are using Microsoft's 'intellectual property'. Worse still, when GPL3 came out it was specifically worded to grandfather-in only the Novell deal, sticking it to the little "me-too" distros that sold out (i.e. Xandros and one or two others): Xandros will be on increasingly shaky licensing ground as the years progress.
Personally I would avoid lining the pockets of a company like Xandros or Novell by purchasing their systems either bundled or directly.
What I'm thinking of is that the initial https login page gets signed and verified, but then the symmetric keys that were exchanged get cached and used for subsequent pages transmitted between the same browser/server. The keys could be expired from either side, after a timeout of 6-8 hours for instance.
Websites could setup certs based on keys that are very low-strength (and hence easier to process). It would be enough to stop these advertising snoops and forgers.
When you have a busy site like Google, that CPU time costs money. By far most of the effort expended in https is setting up the link with PKI asymmetric keys. If browsers (or browser add-ins like Google's) cached the temp. symmetric key for a long while, then demand on the CPU drops to a small fraction of a frequently-renegotiated https link.
We could have the browser hold onto the temporary keys and drop them only after NIC status has changed (say, switched from Ethernet port to Wifi or disconnect-reconnect) or 8 hours has elapsed since the key was forged. That should make the https overhead very low while keeping links secure.
It would be interesting to find out the extent to which web browsers already do this...
Once you are signing/verifying documents like that, you are already expending 95% of the effort to perform the encryption in the first place. So, might as well encrypt anyway IMO.
The actual encryption that takes place is triflingly easy to perform since it involves only a symmetric key which is established after the asymmetric (signing) stuff happens. And it is the asymmetric stuff that is somewhat processor intensive.
...you set necessary goals and then find the most efficient way(s) to go about them.
OTOH I think the kind of study summarized by the Yahoo link gives science a bad name in human rights circles. In this case they treated a necessity as if it were a luxury where efficiency could become the paramount consideration. So we now know about a bit of human nature within an either/or false dichotomy (which is not very useful), plus we have the nasty suggestion that feeding everyone simply won't do from an efficiency standpoint.
If the researcher wanted to be logically consistent with the choices they offer, s/he probably should have an option for distributing food among farmers only. Letting the rest of society starve would qualify as exceedingly efficient by this study's criteria, but I suspect such options would have thrown the author's foolishness into high relief.
Markets are just as artificial as government and anyone who says that all major decisions must involve only one mode or the other is pushing a brand of totalitarianism.
Some people insist on using whatever environmentalists say as the final quantification of all things, despite the fact that there are many things they cannot measure responsibly. Just throwing it back in people's faces doesn't make your argument any more convincing. For one thing, ecologists don't have any single, one-dimensional measurement to which all analysis must eventually be reduced. I also haven't met any reasonable person who would put the "science" of economics on par with ecology. So I don't see what the rhetorical trick of suggesting equivalence does here, except declare that you are on thin ice and out of ideas.
Funny thing though... the blue-blooded types who are the most heavily invested in the return of nuclear power (and nuclear weapons) as a growth industry tend to live in the very pretty-pretty places that are so exclusive and restrictive that NIMBY-ism pales in comparison.
All in all, its disingenuous to rail against NIMBY-ism when the above people call the economic shots and have a deregulated industry to boot. Problem is, their nuclear people and their insurance people (darlings though they are) don't want to talk to each other. Frankly, if you were a major player in the insurance industry and had to stare a 40-fold increase of nuclear operations in the face (amid the ridiculous hysteria over 'dirty bombs' spread by some of the biggest nuclear cheerleaders) I'm certain the cat would get your tongue too.
Their only 'solution' so far has been to go beyond deregulation and make the nuclear interests immune to lawsuits. (Chairman Mao would be proud.)
I say BULLSHIT! You have three choices: Nuclear Power, Agrarian Society, Global Warming. Pick one. Yeah, but 6.5 billion people "returning to the land" to create agrarian societies would obliterate the ecosystem(s) a lot quicker than what climate change threatens to do. So your response is part BS too.
Slashdot Mirror
I'm pretty sure I read that Firefox 3 was specifically going to address the keystore issue.
You pretty much have to ignore both the cert warnings or the domain spelling in order to be a phishing victim. That requires rank carelessness or ignorance on the users' part; In the latter case, it is important that users become educated about the issue by techies less cynical than yourself.
The only ways to really tell with a self-signed cert is to 1) personally get a copy of the cert from the site's operators; or 2) lookup the site's fingerprint from an independent channel you trust and check it against the fingerprint your browser shows when you click on the lock icon.
But I think you should remember that the warning dialog actually provides an opportunity for the user to import self-signed certificates.
Rather, if more sites simply made a habit of posting their cert's fingerprint elsewhere on and off site, then people could make the most effective use of self-signed certs with the current browser behavior in place.
However, that is why Https security has to stand on a 'tripod' from the users' point of view:
1) The lock icon appears in the address bar (while a picture of a lock on the page doesn't count).
2) The domain name in the address bar is spelled correctly (because the lock is saying that the cert 'matches' the domain).
3) No certificate warnings appear from your browser.
If any one of those 'legs' is missing, then assurance of link security falls down. Otherwise (barring your computer being infected/compromised, or having a massive bug) you can be sure the link is both solid and also not a phishing site.
He is spreading misinformation. The Internet and its security mechanisms were never meant to verify real-world identity (whatever that means: photo, street address, SSN?) or good intentions. Yet SSL does, however, validate the site's Internet identity... it ensures that the domain name you see in your address bar represents the actual server(s) registered to that domain name. As others here already pointed out, this prevents MITM attacks.
Thus, when you conduct critical business on the Internet, it is important to get the service's URL right from the horse's mouth. Otherwise a slightly-misspelled domain could amount to an attack of a different kind.
Self-signed certs are OK if you have a decent way to distribute the certs to others. For instance, if you can get the cert's fingerprint listed on various other sites... people can then check the fingerprint through alternate channels of the cert they downloaded and imported into their browser/client. Distributing in-person among trusted individuals also works.
OTOH, having a domain name mismatch would make me doubt whether the link could stand up to MITM attacks or if the cert I received wasn't a fake. Perhaps verifying the fingerprint is enough to satisfy most people, but for me it raises doubts about the site's technical ability.
No you're right about NTFS. I was thinking in terms of general use on Linux, which is my general-purpose OS.
As for mapping *nix stuff to NTFS: I thought that Linux required that xattr's be turned on in the filesystem in order to support ACLs, in which case tar should be able to handle ACLs at least on the Linux side. It would not be much of a stretch to have tar store NTFS ACLs using the same extended attributes as on Linux. (or is that too kludgy?)
After reading around a bit, tar doesn't handle ACLs on its own (though it easily could with a small change). A variant called 'star' is currently required.
tar is still a good choice. combined with sfdisk for storing/restoring partition structure, and you have functionality similar to ghost. In fact, I'd say that later versions of ghost stopped behaving like an allocated-block copier and began acting like a file archiver that was able to remember/restore partition parameters.
I disagree. Continuous spinning and continuous writing for days are two very different things.
YMMV but I've found that drives get much hotter writing sequentially for very long stretches than they would with lots of seeking (and its almost a certainty that caching will be reducing seeking anyway).
The 'partimage' program is. You could also check out 'g4l' which is the same idea.
In any case where you have 80+ GB partitions that are mostly empty, which is most of the time, dd results in wait times (and space requirements on the destination) that are simply unacceptable and a huge waste IMO. The drives will also tend to become rather warm and stay that way for too long.
The pages are saved in a folder of your choosing, can be organized in a hierarchy and also searched and viewed using the add-on; It even has a feature to 'refresh' a saved paged from its URL, or just send you to the page's original URL.
Finally, it has a quick element editor that lets you remove page elements, add 'sticky' notes and keywords, and combine multiple pages into one.
And actually the GP did strongly imply that any consumption on our part will simply be taken up by other people. So not consuming petroleum (because of biofuel, or electric cars, or the subway, or greater efficiency, or just staying home) is bad using his logic. Those things will all lower gas prices for someone else so efforts to consume less are futile. And "global cap-and-trade"? Are you kidding? Good luck getting every nation in the world to agree to that system. Good luck getting just China to agree to that system. Good luck getting everyone bound by that system to stop bickering over what their caps should be. And good luck having such a system function as it's actually intended to. Cynicism isn't a constructive trait. The Montreal protocol lowered CFC emissions so I don't think that level of negativity is warranted. Getting the entire world to agree on a complicated system simultaneously is not a good way to solve world problems. Actually the world (sans USA) has been easing into it for years now. That's that Kyoto, which ends in 2012, was for. Even if that problem would actually be solved by them doing so. The US has made greater progress on its would-be Kyoto goals than any Kyoto nation - and we didn't even sign the thing. Now THAT would be an interesting link to read. Though somehow I doubt one is forthcoming...
Even if your timeline were true (which it isn't), that excuses Xandros claiming Linux belongs to Microsoft how?
As someone who used Xandros from the Corel 1.0 days right through 4.0, it is not a matter of being "GPL pure". Xandros backed MS' vague claim that Linux contains MS intellectual property, but apparently you don't much care about MS efforts criminalizing over 90% of the Linux community.
"Free choice: it's a good thing."
Uh... yeah. Why then does Steve Ballmer say that people not choosing Novell or Xandros are opening themselves to litigation from Microsoft?
Gosh, it must be "freedom".
That seems like a stretch that they "had to". In any case, their poor judgement and greed led them to claim Linux code for MS and themselves... there really is no excuse for Xandros whatsoever in trying to cast the rest of us as criminals.
And FYI, switchgrass and other cellulose feedstocks are being developed in order to address the land use and runoff problems.
I'll stop 'preaching' to you now and let you get back to your "facts".
As a long-time Xandros user who moved to Kubuntu, I have a good idea of what the trade-offs are:
1) Ubuntu will have much more software, and it will be much newer. With Xandros, you may find yourself looking for 'backports' and other specially-packaged versions of software that is otherwise commonly available under Debian and Ubuntu.
2) Xandros' integration with Samba really works, whereas the K/Ubuntu integration has never worked for me. I later learned that NFS is far better/easier for sharing so this became irrelevant.
3) Ubuntu has more drivers owing to the newer kernel and other packages, but the hardware that Xandros does support tends to get configured somewhat better. Advantage here goes to Ubuntu because now that the distro is tailored for the Eee PC in particular: USB add-ons will be better suported than with the pre-installed OS.
4) Xandros updates the OS extremely infrequently. You could wait a year or more for ANY security updates to come through.
5) Xandros' File Manager app is very nice but got increasingly flaky and slow over the years.
6) Xandros Inc. said they were switching their focus to servers a couple years ago.
The final straw for me which insured I'll never go back to Xandros is that they signed a Novell-like dreaded deal with Microsoft. Xandros thinks that by using Linux (not just their distro) you are using Microsoft's 'intellectual property'. Worse still, when GPL3 came out it was specifically worded to grandfather-in only the Novell deal, sticking it to the little "me-too" distros that sold out (i.e. Xandros and one or two others): Xandros will be on increasingly shaky licensing ground as the years progress.
Personally I would avoid lining the pockets of a company like Xandros or Novell by purchasing their systems either bundled or directly.
It should be easy to add a small script to the desktop called 'Run Antivirus' which updates before running:
# apt-get update && apt-get install clamav clamav-freshclam clamtk && clamtk
You could run it with kdesu or whatever the gnome equivalent is.
What I'm thinking of is that the initial https login page gets signed and verified, but then the symmetric keys that were exchanged get cached and used for subsequent pages transmitted between the same browser/server. The keys could be expired from either side, after a timeout of 6-8 hours for instance.
Websites could setup certs based on keys that are very low-strength (and hence easier to process). It would be enough to stop these advertising snoops and forgers.
We could have the browser hold onto the temporary keys and drop them only after NIC status has changed (say, switched from Ethernet port to Wifi or disconnect-reconnect) or 8 hours has elapsed since the key was forged. That should make the https overhead very low while keeping links secure.
It would be interesting to find out the extent to which web browsers already do this...
Once you are signing/verifying documents like that, you are already expending 95% of the effort to perform the encryption in the first place. So, might as well encrypt anyway IMO.
The actual encryption that takes place is triflingly easy to perform since it involves only a symmetric key which is established after the asymmetric (signing) stuff happens. And it is the asymmetric stuff that is somewhat processor intensive.
...you set necessary goals and then find the most efficient way(s) to go about them.
OTOH I think the kind of study summarized by the Yahoo link gives science a bad name in human rights circles. In this case they treated a necessity as if it were a luxury where efficiency could become the paramount consideration. So we now know about a bit of human nature within an either/or false dichotomy (which is not very useful), plus we have the nasty suggestion that feeding everyone simply won't do from an efficiency standpoint.
If the researcher wanted to be logically consistent with the choices they offer, s/he probably should have an option for distributing food among farmers only. Letting the rest of society starve would qualify as exceedingly efficient by this study's criteria, but I suspect such options would have thrown the author's foolishness into high relief.
All in all, its disingenuous to rail against NIMBY-ism when the above people call the economic shots and have a deregulated industry to boot. Problem is, their nuclear people and their insurance people (darlings though they are) don't want to talk to each other. Frankly, if you were a major player in the insurance industry and had to stare a 40-fold increase of nuclear operations in the face (amid the ridiculous hysteria over 'dirty bombs' spread by some of the biggest nuclear cheerleaders) I'm certain the cat would get your tongue too.
Their only 'solution' so far has been to go beyond deregulation and make the nuclear interests immune to lawsuits. (Chairman Mao would be proud.) I say BULLSHIT! You have three choices: Nuclear Power, Agrarian Society, Global Warming. Pick one. Yeah, but 6.5 billion people "returning to the land" to create agrarian societies would obliterate the ecosystem(s) a lot quicker than what climate change threatens to do. So your response is part BS too.