I was going to ask this as a standalone comment, but I'll ask it to you instead.
Is it really that bad? I don't see TV at all and I don't often read American newspapers. I rely mostly on a local newspaper, Slashdot and Al Jazeera for general and tech news. When I see articles like this, or like the ones about evolution, it looks like half of the US is day-dreaming or suffering severe brain trauma. Not trolling, just reporting. I've been to other countries, and people there don't have the same pathological reaction to evolution and AGW I come to expect from Americans.
At the end of the day, the skeptic in me wonders how much of it is blown out of proportions, be it in/. or Wikipedia. Maybe it's the nature of the intertubes, where everyone can shout at the same volume? I don't know, that's why I'm asking.:P
Wikipedia suggests that the real reason was technical: loading the required knowledge into the system was painful. This is more related to my own experience: ESs don't get adopted because UI is crappy at bests.
It is all too easy to judge in retrospective, isn't it?.
Your views, and his/her views, have changed. It's been 10 years after all. Maybe GP was 16 years old, without full use of reason (which would explain the bloodlust), and feels regret since 2005, you wouldn't tell from his few lines... or maybe is just an asshole, who knows. But hey, let's judge and insult GP, it's easier than thinking.
This you can say: GP is better than a lot of braindeads that say spilling a single drop of American blood requires victory or death, no matter what.
Man, you are a broken record. We already talked about this a few days ago, but you are stubborn. I talked nicely then, but you really should leave security to people who have a clue. My karma can take the flak, so I'll be caustic.
Who can trust a CA? Why would you trust a CA? How did a CA earn your trust?
You trust CAs because the server you are talking with, by itself, can't confirm nor deny it is who it says it is: you need a third party and you said it yourself a few lines below. You trust those CAs because it's an audit-only club, and the friggin' web browser's company checked it. I trust those approved CAs because I trust the company backing up my web browser (if you don't, you lost the game right at the beginning). I use Firefox a lot more than Lynx because it's usable, go figure: they checked those third parties and said they can be trusted. End of story.
Mozilla, it's time to own up. This is a bunch of nonsense. Stop treating self signed certificates like cancer, provide a way to see the fingerprint clearly, don't bother with the 'lock' icon and start working on some real innovation - how to do trust by having distributed lists of fingerprints, signatures, whatever. Something that doesn't rely on a signing authority at all.
So, I enter americanexpress.com and a web page tells me "This is a self-signed certificate, nobody backs it up but I promise I am who I am". Riiiiight. Let's suppose they even give me a fingerprint or signature or whatever... That means squat: a certificate from an impostor also has a fingerprint. With what/whom do I check it, then?
A distributed list of fingerprints, signatures, whatever"
How adorable, you trust in a bunch of lists. Or, I should say, a third party. How you can make this work without thinking this as a distributed CA schema instead of a self-signed certificate eludes me. If there are plenty of lists and your certificate gets compromised, how can you change them in a timely manner? It's like those corrupt files on eMule that never vanish. If everyone and their mothers can add lists, I just need to control N lists (either by hacking or creating those myself) that say your certificate is false and it's game over. The only way I can trust those "lists" is if they audit with someone I or Mozilla trust, and we are back to square 1 with the system that's currently in place, but instead of adding a single CA, you add more that back your certificate. I told you I agree with that idea of multiple CA validation (I heard some people call them notaries, it's the same crap with different smell), yet on your previous post you told me that's not a CA or how web browsers should handle it.
So that's why that company died five years ago! They didn't listen to your suggestions! Oh, wait, I met two fellas from Mozilla and they still make ends meet...
I won't bother replying or seeing responses. It irritates me to hearing the same bad idea twice.
I thought about malware attacks. That's why I said it was a weak point. I was thinking of the common shared machine scenario.
Is it really that far-fetched to think that some hacker who wants to download music without getting sued would use a botnet to hide his activities?
I interact with a lot of people, from all walks of life, and not a single one of them got their music libraries from botnets. They either bought them or got dirty using Napster, then eMule, then BitTorrent, and finally Megaupload. So, unless it gets as highly criminalized as CP, I rather say yeah, it is far-fetched.
I would mod you up "Insightful", but I need to write a reply. Sorry.
It could be argued that you are a bit responsible for what your computer does. If it's a shared computer, you must control who can use it and for what. Is a weak argument, of course, but it applies to other stuff, like a car.
Wow, if I had to choose a Slashdot comment for the Summer of 2011, this would be it. Is it morally wrong to prevent damage to people who wouldn't know better? I can cite dozens of examples on how a society or service based on the assumption that people should fail, feel the pain and learn is psychopathic. But your comment made me apathetic, so I'll just go for an ad hominem. You are the anti-social here.
That was the whole point of this question: he wants to learn from master practitioners before making mistakes i.e. drowning.
camservo: I don't know of a particular program to learn, but I found great pleasure reading the JVM's source code. I do recommend to be suspicious of everything you read. You may find code that doesn't look right, e.g. excessive use of Header Interfaces. The best thing to do is ask other people why they used it there.
The Slashdot crowd response would be more like, "What an idiot, sharing the crime on FB for everyone to see". And a little few would say something on your lines, of course.
Sorry, but I can't agree. Most people wouldn't understand what the hell are you talking about, so even if you show them a fingerprint, they wouldn't know what to do. Browsers treat self-signed with suspicion because anyone can self-sign a certificate and they won't prove, only by themselves, that the server is who it says it is. You surely recognize this. Now, CAs earned their trusts by passing a real audit, as in people from a company you know IRL goes to that company to check stuff IRL. Not that it helped much to that Dutch company, but it guarantees a minimum of security. Finally, quite amusingly, you describe a scheme of distributed CAs as a great alternative. We have now come full circle and returned to certificates checked against CAs. I think your proposal is the way to go, by the way: a certificate full of stamps instead of just one per hierarchical level. But nothing self-signed, that would be a nightmare.
There are two possible scenarios. In the first one, you are right and those fellas at GlobalSign are lame. In the other one, they are doing it because of risk mitigation instead of security.
I don't know what is preventing Congress from enacting patent reforms, but it certainly isn't the big tech companies.
I believe I got this article from slashdot, but I'll post it just in case. Essentially, they were caught in a battle that involves Big Pharma, Wall Street, and an underdog with delirium of grandeur. That's what is h
Slashdot Mirror
the fact that in TFA they say it's AMD comparison on Oktoberfest. These people don't take breaks!
Slashdot told me "This exact comment has already been posted. Try to be more original...". But I want to put a "+1" nonetheless. :)
What if you walked into a lamp post, fell and hit your head on a turtle, it got angry and bit your ear?
You are right, we are not precise enough. We should reevaluate the whole lot and add such obvious mishaps.
I was going to ask this as a standalone comment, but I'll ask it to you instead.
Is it really that bad? I don't see TV at all and I don't often read American newspapers. I rely mostly on a local newspaper, Slashdot and Al Jazeera for general and tech news. When I see articles like this, or like the ones about evolution, it looks like half of the US is day-dreaming or suffering severe brain trauma. Not trolling, just reporting. I've been to other countries, and people there don't have the same pathological reaction to evolution and AGW I come to expect from Americans.
At the end of the day, the skeptic in me wonders how much of it is blown out of proportions, be it in /. or Wikipedia. Maybe it's the nature of the intertubes, where everyone can shout at the same volume? I don't know, that's why I'm asking. :P
+1 Informative. :P
Wikipedia suggests that the real reason was technical: loading the required knowledge into the system was painful. This is more related to my own experience: ESs don't get adopted because UI is crappy at bests.
The model they use is a human inside a cardboard box.
It is all too easy to judge in retrospective, isn't it?.
Your views, and his/her views, have changed. It's been 10 years after all. Maybe GP was 16 years old, without full use of reason (which would explain the bloodlust), and feels regret since 2005, you wouldn't tell from his few lines... or maybe is just an asshole, who knows. But hey, let's judge and insult GP, it's easier than thinking.
This you can say: GP is better than a lot of braindeads that say spilling a single drop of American blood requires victory or death, no matter what.
Well, there's the Flash Crash of 2010 in which HFT played an awful part. There's more info (e.g. research papers) there.
I'm pretty sure I'm seeing my own right now. :-/
What tata means, then?
Man, you are a broken record. We already talked about this a few days ago, but you are stubborn. I talked nicely then, but you really should leave security to people who have a clue. My karma can take the flak, so I'll be caustic.
Who can trust a CA? Why would you trust a CA? How did a CA earn your trust?
You trust CAs because the server you are talking with, by itself, can't confirm nor deny it is who it says it is: you need a third party and you said it yourself a few lines below. You trust those CAs because it's an audit-only club, and the friggin' web browser's company checked it. I trust those approved CAs because I trust the company backing up my web browser (if you don't, you lost the game right at the beginning). I use Firefox a lot more than Lynx because it's usable, go figure: they checked those third parties and said they can be trusted. End of story.
Mozilla, it's time to own up. This is a bunch of nonsense. Stop treating self signed certificates like cancer, provide a way to see the fingerprint clearly, don't bother with the 'lock' icon and start working on some real innovation - how to do trust by having distributed lists of fingerprints, signatures, whatever. Something that doesn't rely on a signing authority at all.
So, I enter americanexpress.com and a web page tells me "This is a self-signed certificate, nobody backs it up but I promise I am who I am". Riiiiight. Let's suppose they even give me a fingerprint or signature or whatever... That means squat: a certificate from an impostor also has a fingerprint. With what/whom do I check it, then?
A distributed list of fingerprints, signatures, whatever"
How adorable, you trust in a bunch of lists. Or, I should say, a third party. How you can make this work without thinking this as a distributed CA schema instead of a self-signed certificate eludes me. If there are plenty of lists and your certificate gets compromised, how can you change them in a timely manner? It's like those corrupt files on eMule that never vanish. If everyone and their mothers can add lists, I just need to control N lists (either by hacking or creating those myself) that say your certificate is false and it's game over. The only way I can trust those "lists" is if they audit with someone I or Mozilla trust, and we are back to square 1 with the system that's currently in place, but instead of adding a single CA, you add more that back your certificate. I told you I agree with that idea of multiple CA validation (I heard some people call them notaries, it's the same crap with different smell), yet on your previous post you told me that's not a CA or how web browsers should handle it.
You want to do real innovation instead of looking at hiding address bar from the users? Do this instead.
So that's why that company died five years ago! They didn't listen to your suggestions! Oh, wait, I met two fellas from Mozilla and they still make ends meet...
I won't bother replying or seeing responses. It irritates me to hearing the same bad idea twice.
I thought about malware attacks. That's why I said it was a weak point. I was thinking of the common shared machine scenario.
Is it really that far-fetched to think that some hacker who wants to download music without getting sued would use a botnet to hide his activities?
I interact with a lot of people, from all walks of life, and not a single one of them got their music libraries from botnets. They either bought them or got dirty using Napster, then eMule, then BitTorrent, and finally Megaupload. So, unless it gets as highly criminalized as CP, I rather say yeah, it is far-fetched.
I would mod you up "Insightful", but I need to write a reply. Sorry.
It could be argued that you are a bit responsible for what your computer does. If it's a shared computer, you must control who can use it and for what. Is a weak argument, of course, but it applies to other stuff, like a car.
P.S.: ...
Wow, if I had to choose a Slashdot comment for the Summer of 2011, this would be it. Is it morally wrong to prevent damage to people who wouldn't know better? I can cite dozens of examples on how a society or service based on the assumption that people should fail, feel the pain and learn is psychopathic. But your comment made me apathetic, so I'll just go for an ad hominem. You are the anti-social here.
That was the whole point of this question: he wants to learn from master practitioners before making mistakes i.e. drowning.
camservo: I don't know of a particular program to learn, but I found great pleasure reading the JVM's source code. I do recommend to be suspicious of everything you read. You may find code that doesn't look right, e.g. excessive use of Header Interfaces. The best thing to do is ask other people why they used it there.
The Slashdot crowd response would be more like, "What an idiot, sharing the crime on FB for everyone to see". And a little few would say something on your lines, of course.
I'd say "Too big to fail := Too big to exist". ;)
I agree. I would understand those remarks if they were in an over-the-top parody, but they are really out of place here.
Also, don't worry about your karma. It's proven that saying you'll be modded down actually causes people to mod you up.
"supposedly sullying the otherwise good name of a checkpoint smurf."".
Really? You read that far? I suspected bias when I read "TSA groper". :P
Sorry, but I can't agree. Most people wouldn't understand what the hell are you talking about, so even if you show them a fingerprint, they wouldn't know what to do. Browsers treat self-signed with suspicion because anyone can self-sign a certificate and they won't prove, only by themselves, that the server is who it says it is. You surely recognize this. Now, CAs earned their trusts by passing a real audit, as in people from a company you know IRL goes to that company to check stuff IRL. Not that it helped much to that Dutch company, but it guarantees a minimum of security. Finally, quite amusingly, you describe a scheme of distributed CAs as a great alternative. We have now come full circle and returned to certificates checked against CAs. I think your proposal is the way to go, by the way: a certificate full of stamps instead of just one per hierarchical level. But nothing self-signed, that would be a nightmare.
There are two possible scenarios. In the first one, you are right and those fellas at GlobalSign are lame. In the other one, they are doing it because of risk mitigation instead of security.
There are people willing to fix it, but "fix" is a function of your sponsors, be them pharmaceutical companies, tech corporations, or banks.
I don't know what is preventing Congress from enacting patent reforms, but it certainly isn't the big tech companies.
I believe I got this article from slashdot, but I'll post it just in case. Essentially, they were caught in a battle that involves Big Pharma, Wall Street, and an underdog with delirium of grandeur. That's what is h
Dr. Bob, you always amaze me to no end!