With that kind of bandwidth you can start using the internet as your local network. It means you can put your nice little server in a nice colo, and use that from home. Or from your friends house - and not notice it very much that it isn't local.
Or you can have your server at home, and when at your friends place, you just mount your homedir from your home-box straight into the filesystem of your friends box - and play, say the divx that's located in your homedir on your home-box. On his computer.
Or, say that you are a graphics person and work from home. You're pulling up the 200MB.raw-format picture from your works server. You'd rather have it pull up as if you were working from your workplace - and not be less efficient when at home... and so forth
Around here, the eco-people are honest enough to say what their motive is. Their motive is to get us take a cut to our living standards and reduce the need for energy.
Of course, they will never succeed - but they don't realize that.
I think the claim that Georgia is censoring traffic is probably misleading.
What's happening is that they've got incoming DoS-attacks, and have probably nullrouted quite a few russian IP-ranges. This probably includes quite a few DNS servers, making DNS lookups fail.
I haven't taken the time to _check_ any of this, but if you nullroute the DNS servers, of course DNS lookups will fail. If you're under a DoS, of course you nullroute quite a lot.
Really think you're all that l33t using published crypto?
No, I consider it to be just a regular part of my day.
Zenlike ignorance. Must be a fucking rush.
No.
As another poster skillfully pointed out, unless you write your own encryption and know your OWN code, open/published standards should be considered compromised, especially when talking about our Government (or any other one for that matter).
Heh. If you write your own encryption, there is a huge possibility that you're pretty *dumb*. Unless you open it so that others, not just your friends, can verify what you've just done. You don't necessarily need to open it to the general public, but you need to open it for review by a bunch of equally good or better cryptanalysts.
Open/published standards should by no means be considered compromised. Encryption methods NOT opened, which are UNPUBLISHED should be considered compromised. It's a pretty old adage these days that the encryption methods should be open - and the key information should be secret.
And why on earth do you think that your government is so much smarter than non-government types? It's not like they're superhumans.
Good old fashioned pen and paper secured by cold steel and lead seemed to secure many a secret for far longer than we've been clicking "encryt and send"
Encrypting the data you store away in your cold steel and lead cabinet (or on your own harddrive) would obviously be even more secure.
Well, I certainly agree that it's not fun if you're having trouble sleeping. For me, it has been quite fun experiences though. The reason? Because I don't have trouble sleeping. Trying to stay awake for as long as time as possible to observe the effects was fun. At least for me.
The "hearing your name" thing was the worst for me.
It wasn't _bad_ for me, but it was damn annoying, as I always started looking for the person shouting until I realized it was the sleep deprivation that caused it. Looking for which person is shouting at you with 4000+ computer geeks around you is.. interesting.
Moral of the story, don't deprive yourself of sleep on purpose because you want to see what it's like.
You might be right that it's a dumb thing to do - for me it was just interesting, as I knew I could just give in to sleep at any moment I wanted. Hasn't affected me badly in any way that I can tell.. except giving me interesting experiences.:P
I thought you disliked that it always grabbed a different port number.:-)
Getting yourself 2500 ports, and keeping the same ports for the duration of the nameservers life is certainly not a very intelligent solution. For one, it's way more predictable than using 64000 randomly.
after a drawn out period where I started seeing spiders coming at me in all directions (an extreme phobia of mine). Today, we have found out that this condition only emerges when I don't sleep at least 6 hours a night,
That's interesting. I don't have the phoebia, but I experience a lot of stuff during sleep deprivation, and it includes spiders!
To be more exact, I've been to quite a few computer parties, and a common theme is that you quite simply do not sleep for as long as you can in the beginning. After around 40-50 hours, I start getting interesting effects.
1. I start hearing people calling my name, from random directions - over the sound (lots of music at computer parties). 2. I start seeing spiders running over my keyboard, and also shadow-sized (Babylon5) spiders walking around. 3. I start feeling that a person is looking over my left shoulder, reading my screen. 4. I start feeling cold.
Only point number 3 caused me to be startled from time to time - but since there was nobody there I was only startled for about 1-2 seconds.... I usually found that I would go find my bedroll around ~50 hours, as I didn't like the effects.
Sorry, but I'm pretty certain that this is needed. It needs to use random UDP ports for each reply. If it's just 2500 ports, that's bad. It should use around 64K ports.
One chosen at random, for each reply it is sending.
Or is it something I do not understand in the problem you're describing? Or is it you to that do not understand the problem?
I don't understand why it would be boring to learn how to use your computer. It's a good way to start out, and a very necessary part to become adept at programming later on. Starting to program before you know your way around the computer can certainly be interesting, but to become a solid programmer you first need to learn the basics.
And, you talk about "computer maintenance" as if there is no need to learn quite a bit of programming doing exactly that. There is a great need.
Think databases... "Hmm, I've gotten my usernames and passwords from a database.. maaaybe I can create a nice little application that tracks my CDs the same way?"... and so forth.
I think the right approach is to start with teaching him how to configure stuff himself. Linux only, of course.
Then throw him the Gentoo-bone.
Make sure that you give him a new cool distro, with some cool stuff - that just doesn't work straight out of the box. Something he wants to use, but that quite simply doesn't work as it should. Make sure it's easy to fix, though. Make sure you don't have time to help him more than by pointing at the documentation.
And of course, the kid should have root.
Make sure that each new cool thing is always 'one step away' from not working, but always in different areas.
Kind of fun how quick kids are to learn how to fix stuff, when they want to get something to work.
Not to start a big flameware about games. I realize that World of Warcraft is a massive game, with much more in-game content (for now) - but in my personal opinion, Age of Conan is a much more interesting game.
The main reason, for my part, is that it's based on a much more interested universe that has been explored in (mature) comics for many, many years. Now, with the release of the game, a whole new part of the universe has opened. A universe I personally find way more interesting and appealing than the universe of World of Warcraft.
(Of course, there's still the stability bugs, the memory bugs, the lack of content in many areas - and even the lack of areas.. but all that will be fixed in a timely manner.:-)
Thinking a little bit more about it, I also hope he remembered to use a proper firewall/virus scanner to prevent malware infections. The article also forgets to mention whether he has signed a non-compete agreement when it comes to Penetration Testing - in case he might lose his current contract, for a one night consulting-job.
He should get instructions on how to safely do Penetration Testing of the Chinese secret service. Clearly he forgot to secure the client side properly. Except for that, the article is a tad vague on whether the testing itself went smoothly and he found some holes.
I'm a Linux zealot. I haven't used a Microsoft product out of free will since 1999. But even so, I do admire Bill's work when it comes to fighting diseases, starvation, and so forth. More below:
society will have a lot of money left over to spend on fixing disease, starvation, etc.
In an ideal society - yes. And heck - I would absolutely prefer that various countries choose to use Linux (or BSD) instead of Windows. I especially think that third world countries should do so. But! That doesn't help your argument.
The thing is, most third world countries aren't ideal countries. There is a huge lot of corruption, inefficiency, and so forth.
I'm pretty sure that more of the money third world countries pay for microsoft products - end up as paying for fighting disease, starvation, and so forth - than money _earmarked_ for doing exactly that in many of the countries in question. Why? Because the Bill and Melissa gates foundation tries to make sure that their money is used efficiently (if I remember correctly).
I still would rather that they used free software, instead of being locked in. I think the countries would benefit from it in the long run. But I very, very much respect Bill Gates for how he spends his money on charity.
Trusted by whom? Certainly not me, the user. I think the use of such ambiguous language creates a false sense of security.
Sure, but that's another debate.
No, but the attacker may BE the site. In other words, certs are not a means of secure introduction.
I haven't claimed otherwise. certs are a means of a secure *connection*. It doesn't say anything of the security of the actual site. It never has. It tells you something about the *connection*.
Why are you confused about this?
Saying that certificate authorities are necessary only because they foil man in the middle attacks is a poor justification.
Poor justification for what?
There are a plethora of other significant attacks that CA certs in their current form cannot prevent.
And? What's your point? You have a problem with what the trusted third partys role in SSL is? Then pray, how are you going to solve the man in the middle-problem?
I don't think I've seen a posting so completely devoid of any intelligence in a long time.
Are users not supposed to protect themselves in the interests of the website?
Sure they should. Nobody has suggested that they should not.
Since AVG is producing something that helps end-users do you really want to be seen as a promoter of the problem?
If they want to help the end-users, they should scan the content before it's given over to the webbrowser - not pre-scan all links.
Since the problem of malware sites is not going to go away and since AVG is effective more antivirus software will start using these techniques. Unless you have something better to suggest?
Why not just do the sane thing? Why not just scan the content as it's being downloaded? Why on earth be a malicious bastard costing people and companies hundreds of millions in extra bandwidth costs?
Frankly, as an end user, I don't give a damn about your costs and stats. I don't care about it for amazon, ebay, myspace, or paypal. I do care that if I follow a link to an unsavory site that I am protected.
Which you can be in any case if the software in question is anything close to sensible. In your arrogance, you've completely forgotten that there might be better ideas on how to do this. Ideas that are even simpler, and that has been implemented in a lot of products for a long, long time.
I suspect that you're either extremely dim, or you work for AVG. This thread is suspiciously full of people defending AVG, without really contributing anything but hyperbole and bullshit. You're one of those "contributors".
Here is another question. Do you want a userbase that is populated by malware infected computers? Is that preferable to figuring out a way to work with AVG new technique?
Work with them!? WORK with them!? If they pick up all the bandwidth-bill-hikes they've caused globally - then sure - I would be willing to work with them. I do suspect that they would go bankrupt if they tried, though.
And why on earth should anyone work with someone who does something as foolish as this? When much simpler, better and easier solutions has existed for a long time?
I'm not at all sure what SEO means, but why shouldn't you? Why should you expect some idiots to do malicious stuff like this (or maybe just 'so plain stupid that's it's malicious anyways) ? And, say, what if you've been on the internet for quite a while, having some very nice old and often accessed webpages - who loads of people link to (thus higher pagerank) ? Should you have to suffer the cost? Even though it's just your personal playpen - that just got way more expensive due to the AVG idiots?
The internet isn't just major corporations. It shouldn't be. It's also loads of individuals who rent servers and put up their playthings. Why should these be suffering just because of some *idiots* like AVG?
What AVG is doing is morally - and hopefully criminaly - wrong. There is nobody else to blame than them.
The CERT authenticates that you are talking to the site a trusted third party has signed a certificate for. It means that an attacker isn't between you and the site. In other words, it means there are now attacker between you and the phishing site.
You, in other word, knows that you are talking to the site your browser think it's talking to, and not an attacker between you and the site. It does not authenticate the _site_, if that is run by badguys. It authenticates that there is no badguys between YOU and the site.
If you are using paypa1.com instead of paypal.com, and that's a phishing site, well, what you've authenticated is that there isn't a badguy in the middle between you and the phisher. You might still be fooled, though:P
The trusted third party _is_ needed to solve the key distribution problem, unless you've got a hell of a lot of resources. This may or may not be something you worry about - but that's it (At least in this mode, they've also got a role to play in digital signatures).
There has, however, been attempts to hack 'user safety' on top of the feature list for trusted third parties. To that I just say: hogwash!
I think you've misunderstood it (or I've not read what you said close enough).
You are Alice. You want to talk to Bob's website: www.example.com
I'm Evel (Hi, I'm male, can't use Even then;) - and I by chance control your upstream.
Alice -> home network -> ISP (Evel) -> Bob.
Now, you try to connect to www.example.com, and he has got a signed certificate. I don't care about that, and insert my own certificate generated nicely for www.example.com . You get a browser warning - and since you know that Bob has a signed certificate, you know something fishy is about. You will still be communicating through an encrypted channel, but you're going to MY box, with MY certificate, talking to ME. I on the other hand proxy (decrypt, reencrypt -proxy) the requests to Bob. For you, everything looks normal - but I am listening in on the conversation.
Now, say that we didn't have signed certificates. You would not get a browser warning. You've reinstalled your computer, and you don't have Bob's certificate laying around, nor his certificates fingerprint. You access his site, you don't get a warning, and heeey - you don't even have the opportunity to suspect that I'm listening in.
That's the man in the middle we're talking about. Somebody intercepting the traffic, giving you a fake certificate, and using a proxy like that. That's the only thing SSL Certificate Authorities are there to prevent. Nothing else. They've tried to create an additional revenue stream by having 'high class' certificates with extra checking and yaddi-yaddi - but that of course is a nice little scam on their part.
First off, it's important that you know unix yourself. Then it is important to explain the unix philosophy, and start with the basics. Since I do a bit of unix teaching, I think I'll put forward how I prefer to teach my pupils.
First off, it's important that they know the basic philosophy.
- Everything is a file
- Many small utilities, that does its own little thing
- Utilities can be combined.
Choose a decent shell, and teach them how to use it. bash seems to be the industry standard, so go for that (or go for whatever you want, but be certain that you know it yourself).
Then teach them about STDIN, STDOUT and STDERR.
Explain that each utility they launch have those three file descriptors. Teach them pipes. Explain that pipes connects STDOUT from one process to STDIN of another. Explain that you can redirect STDERR to STDOUT to include it in the pipe. Explain that you can connect STDOUT to a file. Explain that you can connect a file to STDIN.
Explain command line substitution (backticks).
Then go forth and explain the basic utilities. Explain how to use 'man' and 'apropos' (or man -k). Explain the other basics such as cat, grep, cut, tr, find, xargs, df, kill (man signal), pkill, the evils of killall, ifconfig, netstat, and so forth. Explain how you can use pipes with these utilities. When they've mastered the basic utilities, move on to explaining sed and awk.
When they've understood these basics, which they should after some 3-4 lectures + training sessions - they can move on to the more advanced stuff.
Explain about filesystem hiarchies. Explain the basics of filesystems and what inodes are. Explain atime, mtime, ctime. Explain how to use fdisk (or format if solaris). Explain how to create filesystems - and why inode density might be important. Explain why it's important with different partitions / disks. Then move on to explaining volume management.
At some point, they should read "Learning the bash shell" (or a similiar book for other shells), and learn shell scripting. At some point, they should choose themselves another scripting language, be it perl, python, ruby or something else.
After they are past these basics, you should start talking about actual system administration. They are now ready to move on to topics such as how to configure syslogging, NFS and how to configure the local mailer daemon. After that they should now have had to touch the MX records, and DNS might pique their interest. Teach them bind. Then teach them another DNS daemon just to show that there are more of them. djbdns might be a good alternative.
If you're evil, this might be a good time to teach them to hate printing by trying to explain to them how to configure a print-server. Make sure there are some evil printers around. It's important to teach them about both postscript-printers and the evils of non-postscript printers.
After all this, they should have a toolchest big enough to be able to do the rest themselves. They're ready to be self-taught for the rest of whatever they need to do.
This behaviour isn't WRONG wrong, but it's not very good practice any more.
There are some problems here.. First of all, what if the server in question doesn't know what users are 'good' or not? Say, if it's a backup MTA? The non-primary MX? Which are receiving mail due to the primary being down?
Quite common for them not to know about all the email accounts.
Now, problems with backscatter has been there for a while. It's certainly not nice, but there are only so many things one can do. If you read the original RFCs, Google's behaviour is entirely acceptable. Unfortunately the original RFCs for SMTP was written way before spam became a problem...
Other MTAs are "just as bad". Look at qmail for example. This is default behaviour in qmail. It'll accept any email without confirming whether the recipient exists or not (to prevent in-line data-mining of what accounts are there and what accounts aren't there). If the email is to a bogus recipient address, qmail will generate a bounce.
This bounce will go to the From: address.
And that's QMAIL - which is considered a secure mta.
Then you have the same problem, as I've mentioned, occuring when you've got a secondary MX which doesn't have a list of users. The choices for the MTA is to either create a bounce and inform the sender that the recipient doesn't exist - or you might silently discard the message. Neither are good options.
SMTP is kind of broken. Don't blame google for it. Different people consider different things best practices. I don't agree with googles practice in this particular case, while others would claim it's the only proper behaviour.
Slashdot Mirror
With that kind of bandwidth you can start using the internet as your local network. It means you can put your nice little server in a nice colo, and use that from home. Or from your friends house - and not notice it very much that it isn't local.
Or you can have your server at home, and when at your friends place, you just mount your homedir from your home-box straight into the filesystem of your friends box - and play, say the divx that's located in your homedir on your home-box. On his computer.
Or, say that you are a graphics person and work from home. You're pulling up the 200MB .raw-format picture from your works server. You'd rather have it pull up as if you were working from your workplace - and not be less efficient when at home. .. and so forth
I'm not sure it's a fallacy.
Around here, the eco-people are honest enough to say what their motive is. Their motive is to get us take a cut to our living standards and reduce the need for energy.
Of course, they will never succeed - but they don't realize that.
If you think that's related to my post, I think you've misunderstood how DNS works.
I think the claim that Georgia is censoring traffic is probably misleading.
What's happening is that they've got incoming DoS-attacks, and have probably nullrouted quite a few russian IP-ranges. This probably includes quite a few DNS servers, making DNS lookups fail.
I haven't taken the time to _check_ any of this, but if you nullroute the DNS servers, of course DNS lookups will fail. If you're under a DoS, of course you nullroute quite a lot.
Really?
Yes.
Seriously?
Yes.
Really think you're all that l33t using published crypto?
No, I consider it to be just a regular part of my day.
Zenlike ignorance. Must be a fucking rush.
No.
As another poster skillfully pointed out, unless you write your own encryption and know your OWN code, open/published standards should be considered compromised, especially when talking about our Government (or any other one for that matter).
Heh. If you write your own encryption, there is a huge possibility that you're pretty *dumb*. Unless you open it so that others, not just your friends, can verify what you've just done. You don't necessarily need to open it to the general public, but you need to open it for review by a bunch of equally good or better cryptanalysts.
Open/published standards should by no means be considered compromised. Encryption methods NOT opened, which are UNPUBLISHED should be considered compromised. It's a pretty old adage these days that the encryption methods should be open - and the key information should be secret.
And why on earth do you think that your government is so much smarter than non-government types? It's not like they're superhumans.
Good old fashioned pen and paper secured by cold steel and lead seemed to secure many a secret for far longer than we've been clicking "encryt and send"
Encrypting the data you store away in your cold steel and lead cabinet (or on your own harddrive) would obviously be even more secure.
Think our Government doesn't have the capability of decrypting them all,
No.
or more to the point the capability of demanding unencrypted data be handed over?
Well, if you mean by actually torturing you? Well, depends on whether you believe your government does that to americans or not.
If you refuse, you refuse. They then can't get to your data.
Unless you use debian, of course. :-P
Sleep deprivation isn't fun...
Well, I certainly agree that it's not fun if you're having trouble sleeping. For me, it has been quite fun experiences though. The reason? Because I don't have trouble sleeping. Trying to stay awake for as long as time as possible to observe the effects was fun. At least for me.
The "hearing your name" thing was the worst for me.
It wasn't _bad_ for me, but it was damn annoying, as I always started looking for the person shouting until I realized it was the sleep deprivation that caused it. Looking for which person is shouting at you with 4000+ computer geeks around you is.. interesting.
Moral of the story, don't deprive yourself of sleep on purpose because you want to see what it's like.
You might be right that it's a dumb thing to do - for me it was just interesting, as I knew I could just give in to sleep at any moment I wanted. Hasn't affected me badly in any way that I can tell .. except giving me interesting experiences. :P
Then I misunderstood you.
I thought you disliked that it always grabbed a different port number. :-)
Getting yourself 2500 ports, and keeping the same ports for the duration of the nameservers life is certainly not a very intelligent solution. For one, it's way more predictable than using 64000 randomly.
after a drawn out period where I started seeing spiders coming at me in all directions (an extreme phobia of mine). Today, we have found out that this condition only emerges when I don't sleep at least 6 hours a night,
That's interesting. I don't have the phoebia, but I experience a lot of stuff during sleep deprivation, and it includes spiders!
To be more exact, I've been to quite a few computer parties, and a common theme is that you quite simply do not sleep for as long as you can in the beginning. After around 40-50 hours, I start getting interesting effects.
1. I start hearing people calling my name, from random directions - over the sound (lots of music at computer parties).
2. I start seeing spiders running over my keyboard, and also shadow-sized (Babylon5) spiders walking around.
3. I start feeling that a person is looking over my left shoulder, reading my screen.
4. I start feeling cold.
Only point number 3 caused me to be startled from time to time - but since there was nobody there I was only startled for about 1-2 seconds. ... I usually found that I would go find my bedroll around ~50 hours, as I didn't like the effects.
Sorry, but I'm pretty certain that this is needed. It needs to use random UDP ports for each reply. If it's just 2500 ports, that's bad. It should use around 64K ports.
One chosen at random, for each reply it is sending.
Or is it something I do not understand in the problem you're describing? Or is it you to that do not understand the problem?
Yes, I'm serious.
I don't understand why it would be boring to learn how to use your computer. It's a good way to start out, and a very necessary part to become adept at programming later on. Starting to program before you know your way around the computer can certainly be interesting, but to become a solid programmer you first need to learn the basics.
And, you talk about "computer maintenance" as if there is no need to learn quite a bit of programming doing exactly that. There is a great need.
Think databases... "Hmm, I've gotten my usernames and passwords from a database.. maaaybe I can create a nice little application that tracks my CDs the same way?". .. and so forth.
I think the right approach is to start with teaching him how to configure stuff himself. Linux only, of course.
Then throw him the Gentoo-bone.
Make sure that you give him a new cool distro, with some cool stuff - that just doesn't work straight out of the box. Something he wants to use, but that quite simply doesn't work as it should. Make sure it's easy to fix, though. Make sure you don't have time to help him more than by pointing at the documentation.
And of course, the kid should have root.
Make sure that each new cool thing is always 'one step away' from not working, but always in different areas.
Kind of fun how quick kids are to learn how to fix stuff, when they want to get something to work.
Not to start a big flameware about games. I realize that World of Warcraft is a massive game, with much more in-game content (for now) - but in my personal opinion, Age of Conan is a much more interesting game.
The main reason, for my part, is that it's based on a much more interested universe that has been explored in (mature) comics for many, many years. Now, with the release of the game, a whole new part of the universe has opened. A universe I personally find way more interesting and appealing than the universe of World of Warcraft.
(Of course, there's still the stability bugs, the memory bugs, the lack of content in many areas - and even the lack of areas .. but all that will be fixed in a timely manner. :-)
Thinking a little bit more about it, I also hope he remembered to use a proper firewall/virus scanner to prevent malware infections. The article also forgets to mention whether he has signed a non-compete agreement when it comes to Penetration Testing - in case he might lose his current contract, for a one night consulting-job.
Tsktsk.
He should get instructions on how to safely do Penetration Testing of the Chinese secret service. Clearly he forgot to secure the client side properly. Except for that, the article is a tad vague on whether the testing itself went smoothly and he found some holes.
*Ahem*
I'm a Linux zealot. I haven't used a Microsoft product out of free will since 1999. But even so, I do admire Bill's work when it comes to fighting diseases, starvation, and so forth. More below:
society will have a lot of money left over to spend on fixing disease, starvation, etc.
In an ideal society - yes. And heck - I would absolutely prefer that various countries choose to use Linux (or BSD) instead of Windows. I especially think that third world countries should do so. But! That doesn't help your argument.
The thing is, most third world countries aren't ideal countries. There is a huge lot of corruption, inefficiency, and so forth.
I'm pretty sure that more of the money third world countries pay for microsoft products - end up as paying for fighting disease, starvation, and so forth - than money _earmarked_ for doing exactly that in many of the countries in question. Why? Because the Bill and Melissa gates foundation tries to make sure that their money is used efficiently (if I remember correctly).
I still would rather that they used free software, instead of being locked in. I think the countries would benefit from it in the long run. But I very, very much respect Bill Gates for how he spends his money on charity.
Trusted by whom? Certainly not me, the user. I think the use of such ambiguous language creates a false sense of security.
Sure, but that's another debate.
No, but the attacker may BE the site. In other words, certs are not a means of secure introduction.
I haven't claimed otherwise. certs are a means of a secure *connection*. It doesn't say anything of the security of the actual site. It never has. It tells you something about the *connection*.
Why are you confused about this?
Saying that certificate authorities are necessary only because they foil man in the middle attacks is a poor justification.
Poor justification for what?
There are a plethora of other significant attacks that CA certs in their current form cannot prevent.
And? What's your point? You have a problem with what the trusted third partys role in SSL is? Then pray, how are you going to solve the man in the middle-problem?
I don't think I've seen a posting so completely devoid of any intelligence in a long time.
Are users not supposed to protect themselves in the interests of the website?
Sure they should. Nobody has suggested that they should not.
Since AVG is producing something that helps end-users do you really want to be seen as a promoter of the problem?
If they want to help the end-users, they should scan the content before it's given over to the webbrowser - not pre-scan all links.
Since the problem of malware sites is not going to go away and since AVG is effective more antivirus software will start using these techniques. Unless you have something better to suggest?
Why not just do the sane thing? Why not just scan the content as it's being downloaded? Why on earth be a malicious bastard costing people and companies hundreds of millions in extra bandwidth costs?
Frankly, as an end user, I don't give a damn about your costs and stats. I don't care about it for amazon, ebay, myspace, or paypal. I do care that if I follow a link to an unsavory site that I am protected.
Which you can be in any case if the software in question is anything close to sensible. In your arrogance, you've completely forgotten that there might be better ideas on how to do this. Ideas that are even simpler, and that has been implemented in a lot of products for a long, long time.
I suspect that you're either extremely dim, or you work for AVG. This thread is suspiciously full of people defending AVG, without really contributing anything but hyperbole and bullshit. You're one of those "contributors".
Here is another question. Do you want a userbase that is populated by malware infected computers? Is that preferable to figuring out a way to work with AVG new technique?
Work with them!? WORK with them!? If they pick up all the bandwidth-bill-hikes they've caused globally - then sure - I would be willing to work with them. I do suspect that they would go bankrupt if they tried, though.
And why on earth should anyone work with someone who does something as foolish as this? When much simpler, better and easier solutions has existed for a long time?
No, AVG deserves all the blame they can get.
I'm not at all sure what SEO means, but why shouldn't you? Why should you expect some idiots to do malicious stuff like this (or maybe just 'so plain stupid that's it's malicious anyways) ? And, say, what if you've been on the internet for quite a while, having some very nice old and often accessed webpages - who loads of people link to (thus higher pagerank) ? Should you have to suffer the cost? Even though it's just your personal playpen - that just got way more expensive due to the AVG idiots?
The internet isn't just major corporations. It shouldn't be. It's also loads of individuals who rent servers and put up their playthings. Why should these be suffering just because of some *idiots* like AVG?
What AVG is doing is morally - and hopefully criminaly - wrong. There is nobody else to blame than them.
The CERT authenticates that you are talking to the site a trusted third party has signed a certificate for. It means that an attacker isn't between you and the site. In other words, it means there are now attacker between you and the phishing site.
You, in other word, knows that you are talking to the site your browser think it's talking to, and not an attacker between you and the site. It does not authenticate the _site_, if that is run by badguys. It authenticates that there is no badguys between YOU and the site.
If you are using paypa1.com instead of paypal.com, and that's a phishing site, well, what you've authenticated is that there isn't a badguy in the middle between you and the phisher. You might still be fooled, though :P
No.
The function of the KEY is encryption. The function of the certificate is authentication.
Big difference.
I didn't say the user should feel safe.
The trusted third party _is_ needed to solve the key distribution problem, unless you've got a hell of a lot of resources. This may or may not be something you worry about - but that's it (At least in this mode, they've also got a role to play in digital signatures).
There has, however, been attempts to hack 'user safety' on top of the feature list for trusted third parties. To that I just say: hogwash!
I think you've misunderstood it (or I've not read what you said close enough).
You are Alice. You want to talk to Bob's website: www.example.com
I'm Evel (Hi, I'm male, can't use Even then ;) - and I by chance control your upstream.
Alice -> home network -> ISP (Evel) -> Bob.
Now, you try to connect to www.example.com, and he has got a signed certificate. I don't care about that, and insert my own certificate generated nicely for www.example.com . You get a browser warning - and since you know that Bob has a signed certificate, you know something fishy is about. You will still be communicating through an encrypted channel, but you're going to MY box, with MY certificate, talking to ME. I on the other hand proxy (decrypt, reencrypt -proxy) the requests to Bob. For you, everything looks normal - but I am listening in on the conversation.
Now, say that we didn't have signed certificates. You would not get a browser warning. You've reinstalled your computer, and you don't have Bob's certificate laying around, nor his certificates fingerprint. You access his site, you don't get a warning, and heeey - you don't even have the opportunity to suspect that I'm listening in.
That's the man in the middle we're talking about. Somebody intercepting the traffic, giving you a fake certificate, and using a proxy like that. That's the only thing SSL Certificate Authorities are there to prevent. Nothing else. They've tried to create an additional revenue stream by having 'high class' certificates with extra checking and yaddi-yaddi - but that of course is a nice little scam on their part.
Okay, so you want to teach people Unix.
First off, it's important that you know unix yourself. Then it is important to explain the unix philosophy, and start with the basics. Since I do a bit of unix teaching, I think I'll put forward how I prefer to teach my pupils.
First off, it's important that they know the basic philosophy.
- Everything is a file
- Many small utilities, that does its own little thing
- Utilities can be combined.
Choose a decent shell, and teach them how to use it. bash seems to be the industry standard, so go for that (or go for whatever you want, but be certain that you know it yourself).
Then teach them about STDIN, STDOUT and STDERR.
Explain that each utility they launch have those three file descriptors. Teach them pipes. Explain that pipes connects STDOUT from one process to STDIN of another. Explain that you can redirect STDERR to STDOUT to include it in the pipe. Explain that you can connect STDOUT to a file. Explain that you can connect a file to STDIN.
Explain command line substitution (backticks).
Then go forth and explain the basic utilities. Explain how to use 'man' and 'apropos' (or man -k). Explain the other basics such as cat, grep, cut, tr, find, xargs, df, kill (man signal), pkill, the evils of killall, ifconfig, netstat, and so forth. Explain how you can use pipes with these utilities. When they've mastered the basic utilities, move on to explaining sed and awk.
When they've understood these basics, which they should after some 3-4 lectures + training sessions - they can move on to the more advanced stuff.
Explain about filesystem hiarchies. Explain the basics of filesystems and what inodes are. Explain atime, mtime, ctime. Explain how to use fdisk (or format if solaris). Explain how to create filesystems - and why inode density might be important. Explain why it's important with different partitions / disks. Then move on to explaining volume management.
At some point, they should read "Learning the bash shell" (or a similiar book for other shells), and learn shell scripting.
At some point, they should choose themselves another scripting language, be it perl, python, ruby or something else.
After they are past these basics, you should start talking about actual system administration. They are now ready to move on to topics such as how to configure syslogging, NFS and how to configure the local mailer daemon. After that they should now have had to touch the MX records, and DNS might pique their interest. Teach them bind. Then teach them another DNS daemon just to show that there are more of them. djbdns might be a good alternative.
If you're evil, this might be a good time to teach them to hate printing by trying to explain to them how to configure a print-server. Make sure there are some evil printers around. It's important to teach them about both postscript-printers and the evils of non-postscript printers.
After all this, they should have a toolchest big enough to be able to do the rest themselves. They're ready to be self-taught for the rest of whatever they need to do.
This behaviour isn't WRONG wrong, but it's not very good practice any more.
There are some problems here.. First of all, what if the server in question doesn't know what users are 'good' or not? Say, if it's a backup MTA? The non-primary MX? Which are receiving mail due to the primary being down?
Quite common for them not to know about all the email accounts.
Now, problems with backscatter has been there for a while. It's certainly not nice, but there are only so many things one can do. If you read the original RFCs, Google's behaviour is entirely acceptable. Unfortunately the original RFCs for SMTP was written way before spam became a problem...
Other MTAs are "just as bad". Look at qmail for example. This is default behaviour in qmail. It'll accept any email without confirming whether the recipient exists or not (to prevent in-line data-mining of what accounts are there and what accounts aren't there). If the email is to a bogus recipient address, qmail will generate a bounce.
This bounce will go to the From: address.
And that's QMAIL - which is considered a secure mta.
Then you have the same problem, as I've mentioned, occuring when you've got a secondary MX which doesn't have a list of users. The choices for the MTA is to either create a bounce and inform the sender that the recipient doesn't exist - or you might silently discard the message. Neither are good options.
SMTP is kind of broken. Don't blame google for it. Different people consider different things best practices. I don't agree with googles practice in this particular case, while others would claim it's the only proper behaviour.