So, it went down and no one knows why, and also they're saying no one knows why it went up. I think that if anyone really wants to know why, it's very easy to solve this.
Find someone who bought Bitcoin, and ask them.
For example, if you want to find out why it went down, find someone who was paying $15,000 per BTC, and ask "why were you longer willing to pay $15k? What new information came to light that made you realize it was worth only $10k (but still a fuck-ton more than $1k)?" and then just see what they say. Listen.
Similarly, if you want to find out why it went up, find someone who was paying $10,000 and ask "Why was 1 BTC worth that much? Would you pay more for a bitcoin? $12.5k? 15k?" and just see what they say.
The people doing this, are the ones who are thinking about how many dollars it's worth and making decisions. Just ask how they make the decision, and you'll have your answers.
(WTF, why is everyone staring at me like I said something utterly naive? I don't get it.;-)
I am generally curious why someone would need EVERY site to be secured by https.
I can't answer that question, but this..
What about small businesses who dont offer any downloads or have any contact forms and as such their websites function like a digital flier.
.. is easy. You don't want ISPs altering the flier. And people may recall, one of the big calls to arms for the whole Network Neutrality thing everyone has been talking about, is that ISPs were altering web replies to insert ads. I've heard Comcast users even say that Comcast still communicates some kinds of things to their customers by just barging into whatever web page a user happens to have loaded, and changing it to include a message from Comcast. (Because apparently email is too hard.)
MitM can't only snoop; they can also change things.
Examples involving intranets, though, I can't possibly get into Firefox's head. I am pretty sure whatever reason they come up with, will be bullshit. But I guess I ought to hear 'em, first...
Holy crap. Sometimes I flame Apple, but I never... I have never said or read something so.. so...
Wow. "Apple is Sony" is probably the most vicious, mean-spirited, nasty-ass HATEFUL thing I have ever read on Slashdot. (I mean, I remember reading where some guy mentioned his wife had died a few weeks earlier and an AC replied to discuss what her corpse must look like, but you just topped that piece of shit.)
And when I think of all the reasons I don't buy Apple products (especially the iOS stuff; I could still theoretically imagine a situation where I might buy a new Mac), I realize that it's for exactly the same reasons I don't ever buy Sony products. Daaamn.
There's no God-given right to read someone's commercially marketed novel on the device of your choice. If you don't like the device lock-in being offered by an author, don't buy their book.
There's also no God-given right to deny anyone the ability to read the novel they bought on the device of their choice.
Since the gods provide no guidance on this matter, we'll have to make some decisions ourselves. What do we want?
As an author, if I publish to iBooks or to Kindle or whatever, I have absolutely zero control over how their technical platform works. As an author I would want to be able to format shift.
So it's not the copyright holders (me) it's the technology gatekeepers -- apple, amazon, etc.
Hi. I'd like to point out something about that very situation, where authors have a lot of power that they aren't using. And it's interesting to see your attitude here, because it means you could (and perhaps should?) use this power.
As you know, these platforms have included technological measures that are intended to work against the interests of the customer. (People really shouldn't be buying these devices!) DRM is why it's hard to take a book off one and put it on another. And it's illegal for people to circumvent DRM.
That's where you come in. You don't have control over how their technical platform works, but you do have some control over how their legal platform works. Their attack on customers is an integrated approach where those two weapons are used together, but the author can make it so that it's not illegal to crack the DRM.
to "circumvent a technological measure" means to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner
Emphasis mine on those last seven words.
If you (and I really mean you, the author; you have a very special position here) authorize your customers to break the DRM, then those customers will not be circumventing. They can legally crack the DRM and do whatever it takes to migrate their books between devices. They can talk about doing it, and how to it, in public. If someone accuses them of violating DMCA, they can point at a statement from you that authorizes it, which causes many of the prohibitions in DMCA to become irrelevant.
It doesn't get the job done (there's still cracking to be done) but it helps, especially from a legal angle in USA.
But it only works if you, the copyright holder, have made such a statement. Think about it.
we now have a huge mass of falsely educated people, more than ever before, which is worse than not being educated at all.
Wait.. is it worse for them or is it worse for you? I think these people are happier than they used to be. The Internet has removed a lot of tedium and difficulty from my life. How about yours?
That's true but I think it's a stupid argument to make, and you should stop doing it.
You need stupid peoples' support, and there are a lot of people (i.e. voters) who are pretty sure that their government is the one and only force for good in society. It doesn't matter if they're wrong; they are going to use their power to set policy based on that belief.
The right way to approach them is to explain -- no, remind them of -- two things that they won't religiously disagree with:
1) Your government is not the only government. Maybe you have extreme unjustifiable faith in your government, but you don't have faith in that other goverment over there.
2) There exist competent criminals who are not part of any government (neither your own, nor another).
These are both common sense truths that aren't controversial, yet all proposals to weaken computer security are based on the idea of ignoring both of them. When you encounter a fascist, don't tell them they are propping up their government at the peoples' expense, because they don't care. Just remind them that they are propping up other governments, and criminals, at their own government's and peoples' expense.
There simply isn't any domestic agenda, not even zealous crime-prevention, where it makes any sense to weaken computer security. Even your political opponents, for all their flaws, can be made to see the ways that the strategy is utterly stupid and works against whatever they're trying to do. Every time they draw their gun, laugh at how once again they managed to aim it right at their own head.
If you're against computer security, then you're anti-American. Because America uses computers.
A tech company should not have the capacity to compromise security. (Since all companies can be coerced, whether legally or illegally, and your computer won't ever know the difference.) At worst they should only be able to deploy malware which uses a covert channel to leak keys or something. The crypto itself (which will probably also involve key exchange, though not always) needs to be done in a way that complies with a standard (i.e. there are multiple competing tools, by different developers, that can work with the data) then the data itself ought to be safe.
OpenPGP is an example of something done right. LUKS/dmcrypt is another. If a hostile entity pressures a developer to make it not work right, what could they do?
If some company is in charge of your security, then you don't have security. And if you are using proprietary communications software, that means you have one company in charge of your security.
Phase out the "tech companies"' role in your communications. The US government is telling you right now they intend to exert force to prevent whatever-it-is from being able to be secured. If you're using proprietary software for any sort of non-public communication, then you're doing it wrong, and you know you're doing it wrong (i.e. you do not have any expectation of privacy).
So what can be used instead if you need end to end encryption?
Software can "prevent" MitM attacks in the sense of detecting when they're attempted and then refusing to work. But it can't really prevent a MitM attacker who says "let me MitM or else I'll make things stop working."
Solutions are hard. Here are some:
Use different physical links that don't go through their firewall. e.g. run a cable or use radios across their border.
Kill them or vote them out, until you have a more human-friendly regime.
(Ok, here's one software solution, but it has problems.) Maybe use steganography and try stay below the radar, but that's not an option for anything big/popular/mainstream.
Anything that I spend my own money on, I want disrupted as much as possible. The more I go to convenience stores, the more I'd like 'em disrupted.
Just don't touch the industries where my paychecks come from.
And don't point out that everything is related so that if you disrupt my convenience store you'll eventually, however indirectly, end up disrupting my paychecks. Shh. I don't wanna hear it.
Whether those who are trying to use force intend to really just limit their actions to illegal content or not, they are trying to introduce these censoring capabilities and the tech itself will not have any idea what content is illegal and what isn't. A computer doesn't know when it's censoring lawfully vs censoring because Scientology Inc figured out how to exploit a bug.
If a government (and there are many governments, we're not just talking about yours, whichever one that may be) is able to ban pirated pro-terrorism childporn, then it is also able to ban Thomas Paine's pamphlet too.
Therefore, it is necessary for those who value free speech to frustrate these mechanisms and try to prevent them from ever having the capacity to effectively function. It needs to fail, not just politically/legislatively/judicially, but technically.
This had *nothing* to do with being kind to Symantec and the old Verisign business, it's all to do with giving users a chance to update their environment before everything breaks.
If an untrusted cert breaks things, then the user's browser is defective.
It should work, but the UI should indicate that it's not totally sure who the user is connected to. That's ok to do, because it's true. (An untrusted cert should never, ever have any negative consequences or keep things from working if the user so chooses; it should just have a lack of positive consequences.)
If we are still using defective browsers, then it is good to break things now, so that we'll have incentive to fix the browsers. Otherwise, this is going to keep happening whenever CAs fuck up.
We are institutionalizing CA unaccountability by saying "it needs to keep looking good" is more important than "it needs to accurately reflect how sure we are."
One of the problems that PGP solved a quarter century ago, was understanding that it's hard/foolish to put all your eggs in one basket. Trust is a matter of degrees. It's batshit insane that our trust levels are "I completely trust you, absolutely" and "I don't trust you at all." In real life, you almost never use the former, and you trivially upgrade from the latter (but almost never all the way up to the former!).
When an introducer is sort of trusted, and sort of not, it should be entered that way and handled that way. And you should have multiple introducers, to make up for the fact that you can't possibly trust any of them completely (and also the fact that your trust opinions change). Losing a popular CA should have minimal impact, provided that each identity is certified by several others.
Yet we still don't use this level of tech on the web, even though it (barely) pre-dates the web.
"143 million U.S. customers" sounds a whole lot like someone's guess as to how many adults live in USA. I don't know if it's correct, but it's gotta be in the ballpark.
I suspect this means that Equifax leaked their entire database.
It's an even sadder realization that the person who bought the device is NOT considered to be trusted by default, and that said person must hack the device they own to get that trust back.
Never buy any hardware until after you have at least asked who is its master. Whose interests does that computer serve?
And if the master isn't you, then instead of asking how much you pay for it, ask how much you're being paid to use it.
They use a sequential or systematic series so that they dont need to maintain a database of unactivated cards.
God forbid a business spring for a pair of $80 hard disks.
Yeah, I think I would relax the "we don't want to maintain a database of unactivated cards" requirement. How hard can that be? And it solves the fraud problem too? Pays for itself on the first day.
What is the point of hideously overpriced dog-slow large-capacity SD cards with extremely limited wear leveling and piss poor reliability?
The point is that it's a step toward something incredibly usedful: dog-slow large-capacitry SD cards with extremely limited wear leveling. If you can make 'em cheap and reliable enough (the two problems that I deleted from your description) you can finally have a car music player that doesn't need a hard disk.
Basically, all we need from the feds is to get out of the way, or use them as muscle if corrupt state government keeps cities from being able to legally do this. (And really, before we do that, we should just start voting in our state elections so that they don't have to be as corrupt anymore.)
A boycott - even if successful - only ensures they get sneakier about future attempts at the same goal
Even the click-through-EULA apologists haven't yet gotten rid of the click-through. While they've shown plenty of criminal intent by moving the "agreement" to after the sale, they still haven't yet gotten rid of the pretense of "agreement" altogether. As warped as our law is, there really are limits to contracts of adhesion: if they try to hide the existence of the contract completely, any court will say there's no contract at all.
What I'm getting at is: when they attack you, they're always going to show you a EULA. There might be a lot of fraud about what, exactly, you "agreed" to but the attack will be visible even if you don't know exactly what the attacker is trying to pull.
They simply can't be sneaky enough, if you adopt the best practices of rejecting all EULAs. Any time you see a EULA, decline. You know it's an attack, and there's virtually no chance that it's not an attack. It's just a question of details and severity.
If you want to change the law, ok. But don't focus on this one little example niche problem. Solve the general case. Make it a federal offense to manufacture, import, offer to the public, provide, or otherwise traffic in software intended to make hardware work against the interests of its owner.
You'll be solving lots of problems by doing that. The only downside is that it'll make us run out of things to whine about on Slashdot.
Once you give up physical access to your device, you give up security.
And when it comes to phones, that happens before you even buy it. The idea of a phone's security being subverted is laughable. It never had any security! It was always someone else's computer.
Granted, you would probably prefer your phone to have n masters above you, rather than n+1. But for high values of n, the more you care about that, the less sense it makes. You should probably worry more about n and less about the +1. Solve the real problem, and you'll solve the fake problem too.
Slashdot Mirror
So, it went down and no one knows why, and also they're saying no one knows why it went up. I think that if anyone really wants to know why, it's very easy to solve this.
Find someone who bought Bitcoin, and ask them.
For example, if you want to find out why it went down, find someone who was paying $15,000 per BTC, and ask "why were you longer willing to pay $15k? What new information came to light that made you realize it was worth only $10k (but still a fuck-ton more than $1k)?" and then just see what they say. Listen.
Similarly, if you want to find out why it went up, find someone who was paying $10,000 and ask "Why was 1 BTC worth that much? Would you pay more for a bitcoin? $12.5k? 15k?" and just see what they say.
The people doing this, are the ones who are thinking about how many dollars it's worth and making decisions. Just ask how they make the decision, and you'll have your answers.
(WTF, why is everyone staring at me like I said something utterly naive? I don't get it. ;-)
I can't answer that question, but this..
.. is easy. You don't want ISPs altering the flier. And people may recall, one of the big calls to arms for the whole Network Neutrality thing everyone has been talking about, is that ISPs were altering web replies to insert ads. I've heard Comcast users even say that Comcast still communicates some kinds of things to their customers by just barging into whatever web page a user happens to have loaded, and changing it to include a message from Comcast. (Because apparently email is too hard.)
MitM can't only snoop; they can also change things.
Examples involving intranets, though, I can't possibly get into Firefox's head. I am pretty sure whatever reason they come up with, will be bullshit. But I guess I ought to hear 'em, first...
Holy crap. Sometimes I flame Apple, but I never... I have never said or read something so .. so...
Wow. "Apple is Sony" is probably the most vicious, mean-spirited, nasty-ass HATEFUL thing I have ever read on Slashdot. (I mean, I remember reading where some guy mentioned his wife had died a few weeks earlier and an AC replied to discuss what her corpse must look like, but you just topped that piece of shit.)
And when I think of all the reasons I don't buy Apple products (especially the iOS stuff; I could still theoretically imagine a situation where I might buy a new Mac), I realize that it's for exactly the same reasons I don't ever buy Sony products. Daaamn.
There's also no God-given right to deny anyone the ability to read the novel they bought on the device of their choice.
Since the gods provide no guidance on this matter, we'll have to make some decisions ourselves. What do we want?
Hi. I'd like to point out something about that very situation, where authors have a lot of power that they aren't using. And it's interesting to see your attitude here, because it means you could (and perhaps should?) use this power.
As you know, these platforms have included technological measures that are intended to work against the interests of the customer. (People really shouldn't be buying these devices!) DRM is why it's hard to take a book off one and put it on another. And it's illegal for people to circumvent DRM.
That's where you come in. You don't have control over how their technical platform works, but you do have some control over how their legal platform works. Their attack on customers is an integrated approach where those two weapons are used together, but the author can make it so that it's not illegal to crack the DRM.
DMCA 1201(a)(3)(A) defines circumvention:
Emphasis mine on those last seven words.
If you (and I really mean you, the author; you have a very special position here) authorize your customers to break the DRM, then those customers will not be circumventing. They can legally crack the DRM and do whatever it takes to migrate their books between devices. They can talk about doing it, and how to it, in public. If someone accuses them of violating DMCA, they can point at a statement from you that authorizes it, which causes many of the prohibitions in DMCA to become irrelevant.
It doesn't get the job done (there's still cracking to be done) but it helps, especially from a legal angle in USA.
But it only works if you, the copyright holder, have made such a statement. Think about it.
Wait.. is it worse for them or is it worse for you? I think these people are happier than they used to be. The Internet has removed a lot of tedium and difficulty from my life. How about yours?
That's true but I think it's a stupid argument to make, and you should stop doing it.
You need stupid peoples' support, and there are a lot of people (i.e. voters) who are pretty sure that their government is the one and only force for good in society. It doesn't matter if they're wrong; they are going to use their power to set policy based on that belief.
The right way to approach them is to explain -- no, remind them of -- two things that they won't religiously disagree with:
1) Your government is not the only government. Maybe you have extreme unjustifiable faith in your government, but you don't have faith in that other goverment over there.
2) There exist competent criminals who are not part of any government (neither your own, nor another).
These are both common sense truths that aren't controversial, yet all proposals to weaken computer security are based on the idea of ignoring both of them. When you encounter a fascist, don't tell them they are propping up their government at the peoples' expense, because they don't care. Just remind them that they are propping up other governments, and criminals, at their own government's and peoples' expense.
There simply isn't any domestic agenda, not even zealous crime-prevention, where it makes any sense to weaken computer security. Even your political opponents, for all their flaws, can be made to see the ways that the strategy is utterly stupid and works against whatever they're trying to do. Every time they draw their gun, laugh at how once again they managed to aim it right at their own head.
If you're against computer security, then you're anti-American. Because America uses computers.
A tech company should not have the capacity to compromise security. (Since all companies can be coerced, whether legally or illegally, and your computer won't ever know the difference.) At worst they should only be able to deploy malware which uses a covert channel to leak keys or something. The crypto itself (which will probably also involve key exchange, though not always) needs to be done in a way that complies with a standard (i.e. there are multiple competing tools, by different developers, that can work with the data) then the data itself ought to be safe.
OpenPGP is an example of something done right. LUKS/dmcrypt is another. If a hostile entity pressures a developer to make it not work right, what could they do?
If some company is in charge of your security, then you don't have security. And if you are using proprietary communications software, that means you have one company in charge of your security.
Phase out the "tech companies"' role in your communications. The US government is telling you right now they intend to exert force to prevent whatever-it-is from being able to be secured. If you're using proprietary software for any sort of non-public communication, then you're doing it wrong, and you know you're doing it wrong (i.e. you do not have any expectation of privacy).
If we can't quickly remember it, I suppose we could expensively derive whatever it was. But I'd rather remember it.
One hard problem is naming things. Anyone remember what the other one is?
Software can "prevent" MitM attacks in the sense of detecting when they're attempted and then refusing to work. But it can't really prevent a MitM attacker who says "let me MitM or else I'll make things stop working."
Solutions are hard. Here are some:
Use different physical links that don't go through their firewall. e.g. run a cable or use radios across their border.
Kill them or vote them out, until you have a more human-friendly regime.
(Ok, here's one software solution, but it has problems.) Maybe use steganography and try stay below the radar, but that's not an option for anything big/popular/mainstream.
Anything that I spend my own money on, I want disrupted as much as possible. The more I go to convenience stores, the more I'd like 'em disrupted.
Just don't touch the industries where my paychecks come from.
And don't point out that everything is related so that if you disrupt my convenience store you'll eventually, however indirectly, end up disrupting my paychecks. Shh. I don't wanna hear it.
Adapting to change is for other people!
Whether those who are trying to use force intend to really just limit their actions to illegal content or not, they are trying to introduce these censoring capabilities and the tech itself will not have any idea what content is illegal and what isn't. A computer doesn't know when it's censoring lawfully vs censoring because Scientology Inc figured out how to exploit a bug.
If a government (and there are many governments, we're not just talking about yours, whichever one that may be) is able to ban pirated pro-terrorism childporn, then it is also able to ban Thomas Paine's pamphlet too.
Therefore, it is necessary for those who value free speech to frustrate these mechanisms and try to prevent them from ever having the capacity to effectively function. It needs to fail, not just politically/legislatively/judicially, but technically.
If an untrusted cert breaks things, then the user's browser is defective.
It should work, but the UI should indicate that it's not totally sure who the user is connected to. That's ok to do, because it's true. (An untrusted cert should never, ever have any negative consequences or keep things from working if the user so chooses; it should just have a lack of positive consequences.)
If we are still using defective browsers, then it is good to break things now, so that we'll have incentive to fix the browsers. Otherwise, this is going to keep happening whenever CAs fuck up.
We are institutionalizing CA unaccountability by saying "it needs to keep looking good" is more important than "it needs to accurately reflect how sure we are."
One of the problems that PGP solved a quarter century ago, was understanding that it's hard/foolish to put all your eggs in one basket. Trust is a matter of degrees. It's batshit insane that our trust levels are "I completely trust you, absolutely" and "I don't trust you at all." In real life, you almost never use the former, and you trivially upgrade from the latter (but almost never all the way up to the former!).
When an introducer is sort of trusted, and sort of not, it should be entered that way and handled that way. And you should have multiple introducers, to make up for the fact that you can't possibly trust any of them completely (and also the fact that your trust opinions change). Losing a popular CA should have minimal impact, provided that each identity is certified by several others.
Yet we still don't use this level of tech on the web, even though it (barely) pre-dates the web.
"143 million U.S. customers" sounds a whole lot like someone's guess as to how many adults live in USA. I don't know if it's correct, but it's gotta be in the ballpark.
I suspect this means that Equifax leaked their entire database.
It still sounds fine as an identifier. But if anyone is thinking of it as a secret, they probably need to change the combo on their luggage.
Never buy any hardware until after you have at least asked who is its master. Whose interests does that computer serve?
And if the master isn't you, then instead of asking how much you pay for it, ask how much you're being paid to use it.
God forbid a business spring for a pair of $80 hard disks.
Yeah, I think I would relax the "we don't want to maintain a database of unactivated cards" requirement. How hard can that be? And it solves the fraud problem too? Pays for itself on the first day.
The point is that it's a step toward something incredibly usedful: dog-slow large-capacitry SD cards with extremely limited wear leveling. If you can make 'em cheap and reliable enough (the two problems that I deleted from your description) you can finally have a car music player that doesn't need a hard disk.
My city fell for that one.
Does this means the spammers will eventually give up on Usenet's non-binaries groups and human users can reclaim them?
Fuck yeah!! ^ This guy civics.
Basically, all we need from the feds is to get out of the way, or use them as muscle if corrupt state government keeps cities from being able to legally do this. (And really, before we do that, we should just start voting in our state elections so that they don't have to be as corrupt anymore.)
Even the click-through-EULA apologists haven't yet gotten rid of the click-through. While they've shown plenty of criminal intent by moving the "agreement" to after the sale, they still haven't yet gotten rid of the pretense of "agreement" altogether. As warped as our law is, there really are limits to contracts of adhesion: if they try to hide the existence of the contract completely, any court will say there's no contract at all.
What I'm getting at is: when they attack you, they're always going to show you a EULA. There might be a lot of fraud about what, exactly, you "agreed" to but the attack will be visible even if you don't know exactly what the attacker is trying to pull.
They simply can't be sneaky enough, if you adopt the best practices of rejecting all EULAs. Any time you see a EULA, decline. You know it's an attack, and there's virtually no chance that it's not an attack. It's just a question of details and severity.
If you want to change the law, ok. But don't focus on this one little example niche problem. Solve the general case. Make it a federal offense to manufacture, import, offer to the public, provide, or otherwise traffic in software intended to make hardware work against the interests of its owner.
You'll be solving lots of problems by doing that. The only downside is that it'll make us run out of things to whine about on Slashdot.
And when it comes to phones, that happens before you even buy it. The idea of a phone's security being subverted is laughable. It never had any security! It was always someone else's computer.
Granted, you would probably prefer your phone to have n masters above you, rather than n+1. But for high values of n, the more you care about that, the less sense it makes. You should probably worry more about n and less about the +1. Solve the real problem, and you'll solve the fake problem too.