Please, please dont do that... that is purely evil. You give the impression to your visitors that you are securing their data, and then you don't if you do it that way. Also note that you can get a certificate every bit as good as the ones that VeriSign issue for much less than $895/year these days - look around a bit more.
You do raise a very interesting point though. The fact that browsers don't pop up a warning for plain-text SSL could actually potentially be used to perform a man-in-the-middle attack with no-one the wiser (unless they check the issuer of the certificate manually, as they should)! That is rather scary to me, and it is serious enough that patches should be issued (not that most people apply them, but that is an entirely different story).
(Disclaimer: I am probably biased, since we issue SSL certificates on our website.)
This article is a good example of yet another reason why the old advice of "make sure the site you are dealing with has an ssl certificate, and you should be fine" is no longer entirely true.
To be more confident you are dealing with a reputable/accountable merchant/site, you should not only make sure that they have an SSL certificate, but you should also actually click on the lock (or however it is done in the browser you use) and look at the certificate.
The reason the advice used to be valid, is that traditionally, to get an SSL certificate, you had to provide documents to prove you are who you say you are, i.e. DUNS #, articles of incorporation, business license, DBA, bank statement, passport, driver's license, whatever. That is still true for most of the certificate authorities, but it isn't always true. Some of the new certificate authorities don't actually ask to see documents before issuing the certificate, instead, they merely make sure that you have control of the domain by sending an email to the listed contacts. In some cases, they also place a phone call to a number you provide them (I fail to see how this does anything, but..). Certificate authorities that do this will issue the certificate to "Domain control validated, organization not validated" as the organization (or similar text to that effect) rather than to the actual name of the company the certificate is for. These certificates are perfectly fine for making sure things are encrypted, however, they make the certificate useless for getting an idea about the legitimacy of who you are dealing with. They also don't tend to carry the warranties that other ones do (and for good reason, who would underwrite that procedure?).
Apparently your not familiar with the plight of most internet merchants these days. Credit card fraud is basically ignored, and is the merchant's liability. Sad, but true.
I took a look, they haven't put the domain on registrar-lock.
Just transfer the domain to another registrar - you won't lose anything other than a registrar you aren't happy with (i.e. the existing time on the registration is extended by a year).
(Shameless plug: We offer domain name registration for $10.95/year.)
I just checked through the mail I've received in the last while, and there is only one newsletter I am on using Habeas -- other than that, I have only received Habeas headers in spam.
Guess what my bayesian filter is going to start thinking of those headers soon... this could prove to be a problem for them if they don't get things fixed ASAP.
I'm all for the paperless office, but sometimes things are taken to an extreme IMHO... there are exceptions that come up sometimes where paper simply is the best (or only) choice -- and having employees paid to wait around for a month seems a bit... backwards.
Re:Please hook me up with your vendor!
on
Build Your Own NOC
·
· Score: 2, Funny
5256375678 -- its somewhere in the first 10,000 digits of pi.... I want my cookie now!:)
I am actually quite concerned about the push to internationalize DNS.
It is not that I don't have things to gain from it -- people would be buying more domains, and my company, among other things, sells domains. I also speak two languages; one of them requires accents in some situations. It would be nice to be able to include them.
So its not that I don't understand the attractiveness to the various stakeholders.
BUT, from a practical perspective, I think it is a nightmare. We've already seen situations where people register paypa1.com (the last character there is a one, not the character l) and use it to grab people's info. Additional possibilities include spammers registering domains similar to others' and sending spam with a URL on that domain. Or entries in syslog. With the limited characterset currently allowed, the only thing that can happen is people who aren't looking closely, or are using certain fonts that don't necessarily distinguish things as well as they could/should, get burnt. But if we implement international domains, there will be a LOT of ways to register names that are incredibly similiar -- and depending on how much of unicode/utf-8 we implement, it would actually be possible that there would be two different encodings for a character that is *supposed* to appear exactly the same on screen.
I get a stack of those thin pieces of loose leaf paper, a letter size file folder, and a two-hole punch. I put a clip on both sides of the file folder. As I get receipts, I stable them to a piece of paper on the left. Once entered into the accounting system (I only keep receipts for my business and large purchases at this point even though I *should* theoretically keep more), I transfer it to the right side. Order is reverse-chronological.
Added advantage is that it can be transfered to a binder if desired. Bonus #2 is that it is ready to be filed away at the end of the (year,month).
One thing I would add to that, however, is that fortunately, things are changing -- and as you suggest, not due to the credit card issuers. There is an EU directive that is going to hold the banks responsible for CC fraud, and guess what? They are responding. There are initiatives such as 'Verified by Visa' and similar ones for MasterCard etc, where basically you will have a password for your credit card, that doesn't get sent to the merchants, but straight to the banks. Card-not-present merchants, a new era is coming... and a very good one, I think.
I help admin a largish Win98 installation... we have no intention of going any further on the upgrade treadmill. It has been very frustrating -- there seems to be a windows 98 sysprep tool out there, but it isn't available anymore, as they want people using 2000/XP. We of course only realized how useful the tool would be _after_ they decided to stop distributing it... we do without, but it would save hours of work.
It won't make anyone happy, but pick an ID that is not in use, start using it, and send them a registered letter stating that you are using it, and have no intention of paying them for the priviledge. Such makes it more likely that it will actually get read by someone who would care.
I've looked up your domain with PIR (they run.org now, not VeriSign), and they are showing Gandi as the registrar of record. That means it doesn't really matter what NetSol thinks, they don't have any control over the domain any more. You needn't worry.
<plug type="shameless">Maybe when it comes time to renew you will consider using OmegaSphere for your domain name needs? We do good support, and apparently have the approval of an AC right here on/.! (competitive pricing too, at $10.95/domain/year)</plug>
Try the bash man page. No, I'm actually serious -- read it over, about three times. It may actually start making sense at that point. There is a lot to it though...
I am the owner of OmegaSphere, a web hosting company (among other things). We frequently get customers who wish to switch to us and realize that they don't actually have their name on the records of the registration -- its shocking the number of web hosting companies that put their own names on the registration as a means of holding their customers hostage. Its not good for the customers, and its not good for the reputation of the industry.
To a large extent its a problem that can only be solved through education, i.e. people knowing they should be the ones with their name on it.
Sometimes I have been able to help clients transfer their name to us and fix the records despite the best attempts of their old (and now about to be bad-mouthed everywhere) host, using various methods which I won't go into but people are welcome to contact us about if you want some help...
I don't quite understand the logic of it: Your customer has decided to use a different company as a host. They blackmail you with your domain. After you have the situation resolved, whether it is by accepting the blackmail or other means, are you going to: A) Tell all your friends that you simply prefer your new host, or B) Tell all your friends what a HORRIBLE experience you had with your old host, NEVER do business with them, and by the way my new host is awesome. Etc.
I would suspect B.
Never underestimate the power of word of mouth, especially in the internet age. I know its how we get a lot of our customers -- but it could just as easily be how we lost them if we started acting against the best interests of our customers.
I know I've run into many situations where the authorities simply aren't interested in investigating crimes unless the crime caused over X in damages (usually at least five grand...). I can understand budget issues yadda yadda, but that isn't an excuse.
Maybe if they actually enforced existing laws, they would get the small crimes and criminals before they turned into large ones...
It has gotten to the point where in most cases I advise people it is not worth their effort to try and get the authorities involved -- its like speaking to a brick wall - unless you are a big company that could sue them for not acting.
Absoloutely, it is reasonable to only talk about ISO formatting for that purpose. I'm just putting the information out there... spewing it forth into the void.:)
Slashdot Mirror
Please, please dont do that... that is purely evil. You give the impression to your visitors that you are securing their data, and then you don't if you do it that way. Also note that you can get a certificate every bit as good as the ones that VeriSign issue for much less than $895/year these days - look around a bit more.
You do raise a very interesting point though. The fact that browsers don't pop up a warning for plain-text SSL could actually potentially be used to perform a man-in-the-middle attack with no-one the wiser (unless they check the issuer of the certificate manually, as they should)! That is rather scary to me, and it is serious enough that patches should be issued (not that most people apply them, but that is an entirely different story).
Uh, that AC was not me. And I already apologized for the poor formattting... kindly lay off :)
Gah... I submitted this as HTML but slashcode interpreted it as plaintext and messed up the formatting somehow... sorry!
(Disclaimer: I am probably biased, since we issue
SSL certificates
on our website.)
This article is a good example of yet another reason why the old advice of
"make sure the site you are dealing with has an ssl certificate, and you
should be fine" is no longer entirely true.
To be more confident you are dealing with a reputable/accountable merchant/site, you
should not only make sure that they have an SSL certificate, but you
should also actually click on the lock (or however it is done in the browser
you use) and look at the certificate.
The reason the advice used to be valid, is that traditionally, to get an SSL
certificate, you had to provide documents to prove you are who you say you
are, i.e. DUNS #, articles of incorporation, business license, DBA, bank statement,
passport, driver's license, whatever. That is still true for most of the
certificate authorities, but it isn't always true. Some of the new certificate
authorities don't actually ask to see documents before issuing the
certificate, instead, they merely make sure that you have control of the
domain by sending an email to the listed contacts. In some cases, they also
place a phone call to a number you provide them (I fail to see how this does
anything, but..). Certificate authorities that do this will issue the
certificate to "Domain control validated, organization not validated" as the
organization (or similar text to that effect) rather than to the actual name
of the company the certificate is for. These certificates are
perfectly fine for making sure things
are encrypted, however, they make the certificate useless for getting an idea
about the legitimacy of who you are dealing with. They also don't tend to
carry the warranties that other ones do (and for good reason, who would
underwrite that procedure?).
Apparently your not familiar with the plight of most internet merchants these days. Credit card fraud is basically ignored, and is the merchant's liability. Sad, but true.
I took a look, they haven't put the domain on registrar-lock.
Just transfer the domain to another registrar - you won't lose anything other than a registrar you aren't happy with (i.e. the existing time on the registration is extended by a year).
(Shameless plug: We offer domain name registration for $10.95/year.)
I just checked through the mail I've received in the last while, and there is only one newsletter I am on using Habeas -- other than that, I have only received Habeas headers in spam.
Guess what my bayesian filter is going to start thinking of those headers soon... this could prove to be a problem for them if they don't get things fixed ASAP.
Legal yes, possible no. Telus doesn't do GSM. THe only other Canadian GSM provider is Fido. No contracts!
I would suggest that they earn a good deal more than $10/month from many of their users' activities...
Wow, that sounds great for productivity...
I'm all for the paperless office, but sometimes things are taken to an extreme IMHO... there are exceptions that come up sometimes where paper simply is the best (or only) choice -- and having employees paid to wait around for a month seems a bit... backwards.
5256375678 -- its somewhere in the first 10,000 digits of pi.... I want my cookie now! :)
I am actually quite concerned about the push to internationalize DNS.
It is not that I don't have things to gain from it -- people would be buying more domains, and my company, among other things, sells domains. I also speak two languages; one of them requires accents in some situations. It would be nice to be able to include them.
So its not that I don't understand the attractiveness to the various stakeholders.
BUT, from a practical perspective, I think it is a nightmare. We've already seen situations where people register paypa1.com (the last character there is a one, not the character l) and use it to grab people's info. Additional possibilities include spammers registering domains similar to others' and sending spam with a URL on that domain. Or entries in syslog. With the limited characterset currently allowed, the only thing that can happen is people who aren't looking closely, or are using certain fonts that don't necessarily distinguish things as well as they could/should, get burnt. But if we implement international domains, there will be a LOT of ways to register names that are incredibly similiar -- and depending on how much of unicode/utf-8 we implement, it would actually be possible that there would be two different encodings for a character that is *supposed* to appear exactly the same on screen.
What a nightmare.
My receipt method:
I get a stack of those thin pieces of loose leaf paper, a letter size file folder, and a two-hole punch. I put a clip on both sides of the file folder. As I get receipts, I stable them to a piece of paper on the left. Once entered into the accounting system (I only keep receipts for my business and large purchases at this point even though I *should* theoretically keep more), I transfer it to the right side. Order is reverse-chronological.
Added advantage is that it can be transfered to a binder if desired. Bonus #2 is that it is ready to be filed away at the end of the (year,month).
Absoloutely!
One thing I would add to that, however, is that fortunately, things are changing -- and as you suggest, not due to the credit card issuers. There is an EU directive that is going to hold the banks responsible for CC fraud, and guess what? They are responding. There are initiatives such as 'Verified by Visa' and similar ones for MasterCard etc, where basically you will have a password for your credit card, that doesn't get sent to the merchants, but straight to the banks. Card-not-present merchants, a new era is coming... and a very good one, I think.
You are awesome!
:)
Thanks
Wow... that would be very very nice of you. :)
My email address can be found on ddent.net.
I help admin a largish Win98 installation... we have no intention of going any further on the upgrade treadmill. It has been very frustrating -- there seems to be a windows 98 sysprep tool out there, but it isn't available anymore, as they want people using 2000/XP. We of course only realized how useful the tool would be _after_ they decided to stop distributing it... we do without, but it would save hours of work.
Here is what we do about the DST problem:
1) Machines are set to completely ignore DST updates
2) The samba login scripts has the time sync upon log in, every time.
That keeps the clocks right, and the dialogs down.
It won't make anyone happy, but pick an ID that is not in use, start using it, and send them a registered letter stating that you are using it, and have no intention of paying them for the priviledge. Such makes it more likely that it will actually get read by someone who would care.
They don't want collisions as much as you do..
I've looked up your domain with PIR (they run .org now, not VeriSign), and they are showing Gandi as the registrar of record. That means it doesn't really matter what NetSol thinks, they don't have any control over the domain any more. You needn't worry.
/.! (competitive pricing too, at $10.95/domain/year)</plug>
<plug type="shameless">Maybe when it comes time to renew you will consider using OmegaSphere for your domain name needs? We do good support, and apparently have the approval of an AC right here on
Try the bash man page. No, I'm actually serious -- read it over, about three times. It may actually start making sense at that point. There is a lot to it though...
I am the owner of OmegaSphere, a web hosting company (among other things). We frequently get customers who wish to switch to us and realize that they don't actually have their name on the records of the registration -- its shocking the number of web hosting companies that put their own names on the registration as a means of holding their customers hostage. Its not good for the customers, and its not good for the reputation of the industry.
To a large extent its a problem that can only be solved through education, i.e. people knowing they should be the ones with their name on it.
Sometimes I have been able to help clients transfer their name to us and fix the records despite the best attempts of their old (and now about to be bad-mouthed everywhere) host, using various methods which I won't go into but people are welcome to contact us about if you want some help...
I don't quite understand the logic of it: Your customer has decided to use a different company as a host. They blackmail you with your domain. After you have the situation resolved, whether it is by accepting the blackmail or other means, are you going to: A) Tell all your friends that you simply prefer your new host, or B) Tell all your friends what a HORRIBLE experience you had with your old host, NEVER do business with them, and by the way my new host is awesome. Etc.
I would suspect B.
Never underestimate the power of word of mouth, especially in the internet age. I know its how we get a lot of our customers -- but it could just as easily be how we lost them if we started acting against the best interests of our customers.
I know I've run into many situations where the authorities simply aren't interested in investigating crimes unless the crime caused over X in damages (usually at least five grand...). I can understand budget issues yadda yadda, but that isn't an excuse.
Maybe if they actually enforced existing laws, they would get the small crimes and criminals before they turned into large ones...
It has gotten to the point where in most cases I advise people it is not worth their effort to try and get the authorities involved -- its like speaking to a brick wall - unless you are a big company that could sue them for not acting.
That is what is criminal...
Contact me at the email address on ddent.net -- I have a domain that has accumulated over 200 megabytes of spam in a matter of days.
Absoloutely, it is reasonable to only talk about ISO formatting for that purpose. I'm just putting the information out there... spewing it forth into the void. :)