Don't feel bad. From the informaton that was coming out about the trial, there really was reasonable doubt until he took the stand. And the guy is quirky, so it's easy for geeks (who are often quirky) to identify with him.
The most common suggestion for a paper trail is that the paper ballot: a) Wouldn't have identifying information and b) Wouldn't be kept by the voter (it would be deposited into a box at the voting facility and used if a recount is needed.)
Your example just provides a way to DOS the election (at best) and hand it to one candidate on a silver platter (at worst.) Do you think that destroying a few paper ballots that all have the name of the other team's candidate in order to invalidate an precinct which was going to that candidate wouldn't happen?
Also, this system assumes that the paper ballots are counted at some point, and that discrepancies with the computer count are reported. I'm not sure that's going to be a good assumption. The same people who are likely to have access to all of the ballots, electronic and paper, are going to be the ones doing the counting. If there's fraud, it's likely to be just as easily hidden.
The only real way to solve this problem is with actual accountability. That means the end of anonymous voting. As a country, we need to decide which evil is lesser--ballot fraud or voter coercision.
There are ways to mitigate the latter. As long as ballot-counting is done by a small group of people, it's pretty hard to mitigate the former.
The difference between a security bug and malware is minimal. We can discern intent here by the fact that the Debian packager contacted someone upstream regarding the patch, but had they not, would things have been any different?
True, but once the upstream project discovers the problem the distro repo. maintainer can release the fixed version as an update, which will automatically apply to all users of their distro. Yeah, but how long will it take to discover the malware?
Yeah, no kidding. It pissed me off to no end when Iceweasel was included with Debian.
In all seriousness, the problem was never that Microsoft included a web browser by default. The problem was that they "negotiated" with OEMs (by abusing their monopoly) to keep alternate browsers (Netscape specifically) off of the desktop, or in extreme cases, off of the computers entirely. OEMs didn't dare refuse because if their cost per unit of Windows went up significantly, they'd be unable to compete.
seeing as I don't download random browsers just for the hell of it. So? Some people do.
I downloaded Safari for the hell of it, once it came out for Windows. I was curious to know how well it worked in the new environment, as well as whether it would work emulated through Wine. I had no intention of using it as my primary browser.
Web developers, if they're good, will test on several browsers beyond their default. These are people who download and install alternate browsers as part of their job.
What's wrong with having default as enabled? All applications around the world does it and even hides it in advanced install settings. If all applications installed keystroke loggers and sent your banking information to the authors, would that be ok, too? What if it was in a dialog box with a default checkmark?
My point is not that what Firefox did was wrong, but that the logic you used to come to that conclusion was faulty.
Well, as noted in the summary, Safari did it during the iTunes update process. Does that count?
Updating Firefox is (or at least used to be) equivalent to downloading the new version and installing over it. Since it would take extra code to check if Firefox is already installed, it seems more forgivable to fail to do that (and thus uncheck the "default" checkbox) than to intentionally try to trick the person.
I also recall a few Internet Explorer updates which set IE as the default browser without even asking. IE 7 may not do this--I don't know.
Because internet-enabled applications are the way of the future, but your average joe-on-the-street thinks that "Internet Explorer is the Internet."
Seriously, for Web Applications which follow the standards, it's a write-once, run-everywhere situation (well, mostly, except for those places where IE mucks things up.) Want to support Windows? It works. Want to support Linux? It works. Want to support Mac? You get the picture. Any platform with a browser which adheres to the standards can "run" your web app. No need to port your application. No need for users to run complicated installers that ask difficult questions.
Of course, the trade-off is in security, as you point out. But hey, the people demand software which is easy to use.
The term Security Through Obscurity is overused and poorly understood. The key is that most Security Through Obscurity has cryptography in plain sight with an "obscure" encryption mechanism. It's the "we created our own cryptography implementation, but we can't tell you what it is because it would compromise the security of the algorithm" that causes the problem. It's usually quite possible to reverse-engineer such algorithms, so if the system relies on secrecy which can be discovered (as opposed to the secrecy of passwords or keys which, in strong systems, cannot be recovered without interacting with the owner of said password), then the system is weak.
With steganography, you're not only hiding the algorithm used, you're hiding the fact that there's any message at all. Ideally, you'd also encrypt any steganographic message, meaning that even if someone discovers that a message is there, they won't be able to read the message. In this way, you're protecting yourself from, say Carnivore-like systems, but even if your data-hiding fails, no one can read the content anyway.
Apple should have followed the design specifications for the platform on which they were developing.
Microsoft should have made the default to not trust the file. Applications such as installers (with admin privileges) could easily mark files as trustworthy. Stealth downloads (which aren't executing untrusted code) could get the file on the desktop, but not modify the metadata.
It's not the website owners obligation to provide you with content, either. If they want you to view ads to view content, and they can find a way to enforce that, kudos.
Man, the entitlement is getting thick around here....
Personally, I use the hosts file because I don't care to even have my IP address showing up in their access logs. This isn't necessarily because I think that would be a bad thing, but it's because I don't see what benefit there would be for me and, as others have mentioned, the additional DNS query and traffic that would take place could only slow down the rendering of a given Web page. I'm not trying to change your mind, I'm just giving my perspective.
Google has a lot of really neat and progressive initiatives. Even though I hold none of their stock, I really hope that they succeed as a company. I think that other businesses could stand to learn a little about their business model, and certainly the world at large could benefit from some of their investments (renewable-energy, etc.) Now, I don't know if letting Google know my IP address hit their analytics servers will help them in their goal, but since there's almost no detriment to me, I don't particularly mind it.
Note that I don't think that Google is without flaws. I really wish that they'd be more progressive on human rights issues in other countries, for example. But let's not throw the baby out with the bathwater....
Oh, and "inspections" of laptops at the border. That's not a security issue. Customs are looking at these notebooks to prevent contraband from being brought into the country. It's theater, but not of the security variety. After all--it would be much easier to bring e-contraband electronically (by visiting a website.)
There can quite easily be different levels of trust. A normal certificate tells me that the cert was issued by the CA to someone who had control over the domain's DNS records. That could be the real owner, someone who hijacked the real owner's mail remotely, or someone who sat at the owner's computer while they were away and requested the cert. Who knows?
Extended Validation certs ostensibly try to verify that the person requesting the cert is the who they claim to be. Whether this is what happens in practice, I really couldn't say, but to suggest that the information is black-and-white is disingenuous. You might as well suggest that only one level of security clearance is needed--that either the person is trusted or they are not.
Of course, in the real world, people may not differentiate between EV and standard SSL certs. Hell, plenty of people are fooled into providing their information to phishers. But that doesn't mean that it's security theater--it means that those people are easily fooled. EV could, in theory, benefit people who are willing to pay attention.
Right, but if you read for context (re: look at the parent to whom I was replying) we were talking about general circumstances, not this guy's specific circumstances.
There are often contradictory studies on controversial topics. If you really want to make an informed decision, read up on the studies and their methodology.
He's only suspended, not fired, which makes me think it's not a "looking for an excuse to fire him" thing. He was suspended for 6 months without pay. That's as good as a firing for most people, except that because it's not an official firing, he can't collect unemployment if he quits to find work elsewhere.
Allegedly, it's there to prevent someone from threatening your job unless you go campaign for so-and-so candidate. In reality, that's stupid, because they could just make such threats illegal.
Slashdot Mirror
http://www.multivax.com/last_question.html seems particularly appropriate here.
Don't feel bad. From the informaton that was coming out about the trial, there really was reasonable doubt until he took the stand. And the guy is quirky, so it's easy for geeks (who are often quirky) to identify with him.
The most common suggestion for a paper trail is that the paper ballot:
a) Wouldn't have identifying information and
b) Wouldn't be kept by the voter (it would be deposited into a box at the voting facility and used if a recount is needed.)
Your example just provides a way to DOS the election (at best) and hand it to one candidate on a silver platter (at worst.) Do you think that destroying a few paper ballots that all have the name of the other team's candidate in order to invalidate an precinct which was going to that candidate wouldn't happen?
The only real way to solve this problem is with actual accountability. That means the end of anonymous voting. As a country, we need to decide which evil is lesser--ballot fraud or voter coercision.
There are ways to mitigate the latter. As long as ballot-counting is done by a small group of people, it's pretty hard to mitigate the former.
The difference between a security bug and malware is minimal. We can discern intent here by the fact that the Debian packager contacted someone upstream regarding the patch, but had they not, would things have been any different?
Yeah, no kidding. It pissed me off to no end when Iceweasel was included with Debian.
In all seriousness, the problem was never that Microsoft included a web browser by default. The problem was that they "negotiated" with OEMs (by abusing their monopoly) to keep alternate browsers (Netscape specifically) off of the desktop, or in extreme cases, off of the computers entirely. OEMs didn't dare refuse because if their cost per unit of Windows went up significantly, they'd be unable to compete.
I downloaded Safari for the hell of it, once it came out for Windows. I was curious to know how well it worked in the new environment, as well as whether it would work emulated through Wine. I had no intention of using it as my primary browser.
Web developers, if they're good, will test on several browsers beyond their default. These are people who download and install alternate browsers as part of their job.
My point is not that what Firefox did was wrong, but that the logic you used to come to that conclusion was faulty.
Well, as noted in the summary, Safari did it during the iTunes update process. Does that count?
Updating Firefox is (or at least used to be) equivalent to downloading the new version and installing over it. Since it would take extra code to check if Firefox is already installed, it seems more forgivable to fail to do that (and thus uncheck the "default" checkbox) than to intentionally try to trick the person.
I also recall a few Internet Explorer updates which set IE as the default browser without even asking. IE 7 may not do this--I don't know.
Are you so sure that the problem was with Safari and not with Google?
Because internet-enabled applications are the way of the future, but your average joe-on-the-street thinks that "Internet Explorer is the Internet."
Seriously, for Web Applications which follow the standards, it's a write-once, run-everywhere situation (well, mostly, except for those places where IE mucks things up.) Want to support Windows? It works. Want to support Linux? It works. Want to support Mac? You get the picture. Any platform with a browser which adheres to the standards can "run" your web app. No need to port your application. No need for users to run complicated installers that ask difficult questions.
Of course, the trade-off is in security, as you point out. But hey, the people demand software which is easy to use.
The term Security Through Obscurity is overused and poorly understood. The key is that most Security Through Obscurity has cryptography in plain sight with an "obscure" encryption mechanism. It's the "we created our own cryptography implementation, but we can't tell you what it is because it would compromise the security of the algorithm" that causes the problem. It's usually quite possible to reverse-engineer such algorithms, so if the system relies on secrecy which can be discovered (as opposed to the secrecy of passwords or keys which, in strong systems, cannot be recovered without interacting with the owner of said password), then the system is weak.
With steganography, you're not only hiding the algorithm used, you're hiding the fact that there's any message at all. Ideally, you'd also encrypt any steganographic message, meaning that even if someone discovers that a message is there, they won't be able to read the message. In this way, you're protecting yourself from, say Carnivore-like systems, but even if your data-hiding fails, no one can read the content anyway.
You can apply QOS rules by identifying Layer 7 traffic and boosting it up. Good luck getting Bit Torrent to looks like web traffic :)
Both are at fault.
Apple should have followed the design specifications for the platform on which they were developing.
Microsoft should have made the default to not trust the file. Applications such as installers (with admin privileges) could easily mark files as trustworthy. Stealth downloads (which aren't executing untrusted code) could get the file on the desktop, but not modify the metadata.
It's not the website owners obligation to provide you with content, either. If they want you to view ads to view content, and they can find a way to enforce that, kudos.
Man, the entitlement is getting thick around here....
Google has a lot of really neat and progressive initiatives. Even though I hold none of their stock, I really hope that they succeed as a company. I think that other businesses could stand to learn a little about their business model, and certainly the world at large could benefit from some of their investments (renewable-energy, etc.) Now, I don't know if letting Google know my IP address hit their analytics servers will help them in their goal, but since there's almost no detriment to me, I don't particularly mind it.
Note that I don't think that Google is without flaws. I really wish that they'd be more progressive on human rights issues in other countries, for example. But let's not throw the baby out with the bathwater....
There can quite easily be different levels of trust. A normal certificate tells me that the cert was issued by the CA to someone who had control over the domain's DNS records. That could be the real owner, someone who hijacked the real owner's mail remotely, or someone who sat at the owner's computer while they were away and requested the cert. Who knows?
Extended Validation certs ostensibly try to verify that the person requesting the cert is the who they claim to be. Whether this is what happens in practice, I really couldn't say, but to suggest that the information is black-and-white is disingenuous. You might as well suggest that only one level of security clearance is needed--that either the person is trusted or they are not.
Of course, in the real world, people may not differentiate between EV and standard SSL certs. Hell, plenty of people are fooled into providing their information to phishers. But that doesn't mean that it's security theater--it means that those people are easily fooled. EV could, in theory, benefit people who are willing to pay attention.
Right, but if you read for context (re: look at the parent to whom I was replying) we were talking about general circumstances, not this guy's specific circumstances.
There are often contradictory studies on controversial topics. If you really want to make an informed decision, read up on the studies and their methodology.
http://www.osc.gov/ha_fed.htm
The Hatch Act prohibits some political activity, even on your own time, if you have certain jobs in federal agencies.
It's asinine.
Allegedly, it's there to prevent someone from threatening your job unless you go campaign for so-and-so candidate. In reality, that's stupid, because they could just make such threats illegal.