Because it is borne out in my experience and, presumably, in his as well. FreeBSD, OpenBSD, OS X, and Windows are all used by my "technologically-savvy" peers to some extent; but among the people whom I consider "savvy", the majority use Linux on the desktop.
I haven't heard many PHP developers going back to Perl.
I wrote my first CGI scripts in Perl, but I started using PHP for most of my projects a couple years ago, back when everyone else was switching to it too. But over time it became painfully obvious that, of the two, Perl is by far the more coherent and powerful language. Now I use Perl for most things again.
One in every three or four YouTube videos crashes the browser.
Of course the ideal solution would be for Adobe to fix Flash, but in the meantime you can use nspluginwrapper to prevent Firefox from crashing whenever Flash goes down. nspluginwrapper runs Flash in a separate child process from the web browser, and uses IPC to display the plugin's contents in your browser; it was originally created to allow people to use 32-bit plugins in 64-bit browsers, but this mechanism is also great for isolating the web browser from plugin crashes.
Another solution is to use Opera, which on Linux runs its plugins in an nspluginwrapper-like child process by default.
Right, but that's not actually relevant to the type of attack I'm describing. I should have been more clear:
Suppose Alice runs a web site at http://alice.example/, which uses OpenID to authenticate its users. One of her web site's users is Bob, whose OpenID URL (http://bob.example/) delegates http://charlie.example/ as its OpenID authority, by using the requisite HTML tags in his web site:
Mallory wants to log onto Alice's web site as Bob. One way to do this is to poison the cache of the resolving nameservers used by Alice's web server (e.g., ns1.alice.example), so that when Alice's web server attempts to resolve the domain name http://bob.example/ to authenticate Bob's login, instead of getting the actual IP address of Bob's web server it will receive the address of a malicious web server under Mallory's control; Mallory's web server returns a web page that contains the following code:
Thus giving Mallory total control over authentication for Bob's account.
The bottom line is that until we've replaced the Domain Name System with something far more reliable, it would be foolish to trust OpenID authentication for anything more security-sensitive than a personal weblog account.
Yeah, OpenID can work with just about any authentication scheme, all without requiring you to provide your credentials on someone else's site.
A much more apt criticism of OpenID would be that it relies on DNS for authentication purposes, and DNS is fundamentally insecure. Why bother stealing passwords when you can just poison the cache of an OpenID site's nameservers, tricking the site into authenticating users against a bogus OpenID server of your choosing?
Does anyone else think that maybe we are approaching this problem the wrong way?
Yes, the wrong way being tacking on extra transaction ID space by means of fragile kludges such as random source port numbers and, possibly, random IPv6 addresses.
It will require a lot more effort, but the right way to solve this problem is by improving the protocol itself. That may mean putting a much larger transaction ID field in the packets, where it cannot be mangled by NAT devices. Or it may mean delegating nameservers by IP address rather than domain name so that resolvers will no longer need to accept potentially-malicious glue records. But preferably, it means moving to a cryptographically-strong domain name system such as DNSSEC.
It breaks the DNS spec by not returning NXDOMAIN for non-existent domains. This may interfere with using DNS blacklists, etc.
It redirects your Google traffic through OpenDNS's own servers, which should raise a million red flags.
Yes, switch to a DNS provider that provides source port randomization, if your ISP's DNS servers do not. But no, don't switch to an untrustworthy one out of desperation.
Huh? You really think that The Incredibles and Finding Nemo can be boiled down to "common memes of road trips, and comedy routines"? Did all the wonderful depth and layered meaning written into those films somehow escape your notice?
(But seriously, I agree with karot's above comment: sure, the problem itself is easily attributable to plain stupidity, but their (non-)handling of the fallout is the essence of slimy.
That's true, but way to miss the point. The AC's claim was that Obama is heralding in some new breed of disingenuous campaigning in the Democratic party, and he was off base; yeah, Obama is a politician just like all the rest, but if anything he walks the walk a lot truer than most others who have run for the Presidency in my lifetime.
It's quite a thing to claim that all the campaigners before him were intrepid pioneers, and that Obama, in contrast, ushers in a new era where politicians "care even less (than nothing?) for you except for your vote." Do you agree with this? Or do you think, as I do, that this AC has finally, inevitably, become disillusioned of politicians, and Obama just happened to be the one in the spotlight when it happened?
The GPL is probably easier than most commercial licenses, but that does not make it easy. The fact that it's extremely commonly misunderstood should speak to that.
I think it speaks more to the fact that people don't even consider reading the license because "it's freeware, right?" (or "I won't get caught, right?"), than to how difficult the document actually is to parse.
I'm no lawyer, but I can understand the GPL just fine.
I think it's a little mean to refer to Foxmarks as a "poorly maintained 3rd party extension."
Yeah, that comment reeks of spite and ignorance. It also glosses over the privacy issues that kept many from using Google Browser Sync to begin with, but which aren't an issue with Foxmarks.
And anyway, I'm much more willing to trust Foxmarks to store my private data than I am Google -- unlike Google, Foxmarks is not one of the world's fastest-growing advertising companies; and unlike Google, Foxmarks is founded by Mitch Kapor, one of the co-founders of the Electronic Frontier Foundation. Better still, the Foxmarks extension allows you to use your own server for synchronization, if you're so paranoid that you don't even trust your data in the hands of an EFF founder.
If anything can be called a "poorly maintained 3rd party extension" here, it would have to be Google Browser Sync -- which, I suppose, is why it has fallen out of favor.
Assuming that you believe God does not exist, what harm is there in saying it?
You're still asking people to pledge their belief in a deity by saying the oath -- or to lie about said belief. That's dishonorable and relegates non-religious folks to the status of second-class citizens within the organization. I should also point out that the text of the Oath is only one facet of the deep problems of discrimination within the BSA.
Its the same thing with the Pledge of Allegiance. One nation under god.
The current Pledge of Allegiance is a another issue, but it is overdue for a change back to its pre-1950s text, wherein the offending "under god" line was originally absent before the Knights of Columbus lobbied Congress to insert religious imagery into it. Much like the Scout's Oath, the current Pledge asks children to pay lip service to the Judeo-Christian worldview. However, unlike the Scout's Oath, the Pledge is imposed on kids the country over in public schools, making the situation even worse.
There wouldn't be a legal problem with any of this if, as you claim, the Boy Scouts of America were purely a private organization. But that's not the case. They seek out and accept public funding for many of their activities, and chapters have even gone so far as to sue the government when it decides to take the moral and legal high ground and stop subsidizing their exclusionary activities.
Now if the BSA were to stop accepting any public money for their activities, the legal problems would go away. Granted, a private organization that excludes homosexuals is still no less despicable than one which denies Jews or Blacks; I and others would continue to criticize them, in the same way that most people criticize, e.g., the KKK, while fully recognizing their right to express their own views. But the gross injustices to tax-paying atheists and gays are what must be addressed, and they can easily be addressed without interfering with the organization's "moral values".
I believe the problem is when you stand up and scream you are an atheist and want everyone else to change what they are doing to do it your way, is when there are problems.
That's a real straw man. With rare exception, atheists and gays are not out to change people's private beliefs and practices. What they do want is to establish equal rights and standing for themselves in the public sphere, and that is a goal we should all be able to stand behind.
It's rather predictable that people would confound a strong stance on atheist/gay rights with rabble-rousing and crass noisemaking, though; after all, that's precisely the same reaction with which all manner of civil rights activists have been received in the past, be they slavery abolitionists, or women's suffragists, or anti-segregationists.
So you're probably correct that the parent poster got by in the BSA without incident by not making noise such as, e.g., refusing to recite the Boy Scouts pledge which commits one to a religious deity. And that's the problem. Until gays and atheists can proclaim themselves as openly as Christians and straights do in any public or semi-public organization, and not be required to pay lip service or deference to the Judeo-Christian worldview -- without being kicked out, or frowned upon, or generally treated as second-class citizens -- then our work is not yet done.
(Fortunately for the parent poster, his local scoutmasters were apparently more tolerant than the national organization: discrimination against gays and atheists is still very much the official policy within the organization.)
It played for me on Linux (with whatever version of Flash 9 is in the Ubuntu 8.04 repositories), but the video had a stupid "See more videos in HD!" overlay that wouldn't go away...
He did say "good corporate citizen", so if you are not paying for it, you obviously have something to hide and should be reported.
You may think this is just a joke, but when my second college roommate saw me using an unfamiliar operating system, he naturally started asking me about it. "What's it called?" "Red Hat Linux." "How much does it cost?" "Nothing, it's free." He freaked out: "Oh my God, how can that be legal? That could cost Microsoft so much in lost profits! That should really be illegal..."
The worst part? He was a business major, an honest-to-goodness PHB in training...
I respond with the "your web browser honors 50 billion different CAs by default, and getting an illicit certificate signed by a single one of them won't be difficult" card.
Slashdot Mirror
Because it is borne out in my experience and, presumably, in his as well. FreeBSD, OpenBSD, OS X, and Windows are all used by my "technologically-savvy" peers to some extent; but among the people whom I consider "savvy", the majority use Linux on the desktop.
I haven't heard many PHP developers going back to Perl.
I wrote my first CGI scripts in Perl, but I started using PHP for most of my projects a couple years ago, back when everyone else was switching to it too. But over time it became painfully obvious that, of the two, Perl is by far the more coherent and powerful language. Now I use Perl for most things again.
So that's one data point, anyway...
One in every three or four YouTube videos crashes the browser.
Of course the ideal solution would be for Adobe to fix Flash, but in the meantime you can use nspluginwrapper to prevent Firefox from crashing whenever Flash goes down. nspluginwrapper runs Flash in a separate child process from the web browser, and uses IPC to display the plugin's contents in your browser; it was originally created to allow people to use 32-bit plugins in 64-bit browsers, but this mechanism is also great for isolating the web browser from plugin crashes.
Another solution is to use Opera, which on Linux runs its plugins in an nspluginwrapper-like child process by default.
... except that, from all appearances, this actually is a terrible design flaw, and it can neither be described as "minor" nor "rarely-occurring".
A Cellphone is two parts ,
1) a radio transceiver
and
2) a computer
<SteveJobsRDF>
... and an iPod, and an Internet communications device!
</SteveJobsRDF>
Right, but that's not actually relevant to the type of attack I'm describing. I should have been more clear:
Suppose Alice runs a web site at http://alice.example/, which uses OpenID to authenticate its users. One of her web site's users is Bob, whose OpenID URL (http://bob.example/) delegates http://charlie.example/ as its OpenID authority, by using the requisite HTML tags in his web site:
Mallory wants to log onto Alice's web site as Bob. One way to do this is to poison the cache of the resolving nameservers used by Alice's web server (e.g., ns1.alice.example), so that when Alice's web server attempts to resolve the domain name http://bob.example/ to authenticate Bob's login, instead of getting the actual IP address of Bob's web server it will receive the address of a malicious web server under Mallory's control; Mallory's web server returns a web page that contains the following code:
Thus giving Mallory total control over authentication for Bob's account.
The bottom line is that until we've replaced the Domain Name System with something far more reliable, it would be foolish to trust OpenID authentication for anything more security-sensitive than a personal weblog account.
Yeah, OpenID can work with just about any authentication scheme, all without requiring you to provide your credentials on someone else's site.
A much more apt criticism of OpenID would be that it relies on DNS for authentication purposes, and DNS is fundamentally insecure. Why bother stealing passwords when you can just poison the cache of an OpenID site's nameservers, tricking the site into authenticating users against a bogus OpenID server of your choosing?
Yes, the wrong way being tacking on extra transaction ID space by means of fragile kludges such as random source port numbers and, possibly, random IPv6 addresses.
It will require a lot more effort, but the right way to solve this problem is by improving the protocol itself. That may mean putting a much larger transaction ID field in the packets, where it cannot be mangled by NAT devices. Or it may mean delegating nameservers by IP address rather than domain name so that resolvers will no longer need to accept potentially-malicious glue records. But preferably, it means moving to a cryptographically-strong domain name system such as DNSSEC.
No, do NOT switch to OpenDNS:
Yes, switch to a DNS provider that provides source port randomization, if your ISP's DNS servers do not. But no, don't switch to an untrustworthy one out of desperation.
Huh? You really think that The Incredibles and Finding Nemo can be boiled down to "common memes of road trips, and comedy routines"? Did all the wonderful depth and layered meaning written into those films somehow escape your notice?
Here ya go
(But seriously, I agree with karot's above comment: sure, the problem itself is easily attributable to plain stupidity, but their (non-)handling of the fallout is the essence of slimy.
But we've already had a first-party trojan from Apple. It was called Safari.
That's true, but way to miss the point. The AC's claim was that Obama is heralding in some new breed of disingenuous campaigning in the Democratic party, and he was off base; yeah, Obama is a politician just like all the rest, but if anything he walks the walk a lot truer than most others who have run for the Presidency in my lifetime.
It's quite a thing to claim that all the campaigners before him were intrepid pioneers, and that Obama, in contrast, ushers in a new era where politicians "care even less (than nothing?) for you except for your vote." Do you agree with this? Or do you think, as I do, that this AC has finally, inevitably, become disillusioned of politicians, and Obama just happened to be the one in the spotlight when it happened?
Yeah, much unlike those warm, loving, caring exemplars of humanity and civil service, Hillary Clinton and John McCain.
Not even remotely. Wake me up with Opera's interface can be extended with XUL.
There are some things that I like about Opera, but in terms of the extent to which its user interface can be customized, it's got nothing on Firefox.
I think it speaks more to the fact that people don't even consider reading the license because "it's freeware, right?" (or "I won't get caught, right?"), than to how difficult the document actually is to parse.
I'm no lawyer, but I can understand the GPL just fine.
It could be in the form of a very persuasive entreaty for you to write back to the service provider and personally report your actions.
Yeah, that comment reeks of spite and ignorance. It also glosses over the privacy issues that kept many from using Google Browser Sync to begin with, but which aren't an issue with Foxmarks.
And anyway, I'm much more willing to trust Foxmarks to store my private data than I am Google -- unlike Google, Foxmarks is not one of the world's fastest-growing advertising companies; and unlike Google, Foxmarks is founded by Mitch Kapor, one of the co-founders of the Electronic Frontier Foundation. Better still, the Foxmarks extension allows you to use your own server for synchronization, if you're so paranoid that you don't even trust your data in the hands of an EFF founder.
If anything can be called a "poorly maintained 3rd party extension" here, it would have to be Google Browser Sync -- which, I suppose, is why it has fallen out of favor.
You're still asking people to pledge their belief in a deity by saying the oath -- or to lie about said belief. That's dishonorable and relegates non-religious folks to the status of second-class citizens within the organization. I should also point out that the text of the Oath is only one facet of the deep problems of discrimination within the BSA.
Its the same thing with the Pledge of Allegiance. One nation under god.The current Pledge of Allegiance is a another issue, but it is overdue for a change back to its pre-1950s text, wherein the offending "under god" line was originally absent before the Knights of Columbus lobbied Congress to insert religious imagery into it. Much like the Scout's Oath, the current Pledge asks children to pay lip service to the Judeo-Christian worldview. However, unlike the Scout's Oath, the Pledge is imposed on kids the country over in public schools, making the situation even worse.
It's easy to dismiss this as inconsequential if you've never walked in the shoes of a non-religious American (or, indeed, any minority); but consider that this exclusionary wording has been used as a bullet point to argue for even greater degrees of religious discrimination, and I think you'll begin to see how much of a problem even the slightest crack in the wall of separation between church and state can be.
There wouldn't be a legal problem with any of this if, as you claim, the Boy Scouts of America were purely a private organization. But that's not the case. They seek out and accept public funding for many of their activities, and chapters have even gone so far as to sue the government when it decides to take the moral and legal high ground and stop subsidizing their exclusionary activities.
Now if the BSA were to stop accepting any public money for their activities, the legal problems would go away. Granted, a private organization that excludes homosexuals is still no less despicable than one which denies Jews or Blacks; I and others would continue to criticize them, in the same way that most people criticize, e.g., the KKK, while fully recognizing their right to express their own views. But the gross injustices to tax-paying atheists and gays are what must be addressed, and they can easily be addressed without interfering with the organization's "moral values".
That's a real straw man. With rare exception, atheists and gays are not out to change people's private beliefs and practices. What they do want is to establish equal rights and standing for themselves in the public sphere, and that is a goal we should all be able to stand behind.
It's rather predictable that people would confound a strong stance on atheist/gay rights with rabble-rousing and crass noisemaking, though; after all, that's precisely the same reaction with which all manner of civil rights activists have been received in the past, be they slavery abolitionists, or women's suffragists, or anti-segregationists.
So you're probably correct that the parent poster got by in the BSA without incident by not making noise such as, e.g., refusing to recite the Boy Scouts pledge which commits one to a religious deity. And that's the problem. Until gays and atheists can proclaim themselves as openly as Christians and straights do in any public or semi-public organization, and not be required to pay lip service or deference to the Judeo-Christian worldview -- without being kicked out, or frowned upon, or generally treated as second-class citizens -- then our work is not yet done.
(Fortunately for the parent poster, his local scoutmasters were apparently more tolerant than the national organization: discrimination against gays and atheists is still very much the official policy within the organization.)
It played for me on Linux (with whatever version of Flash 9 is in the Ubuntu 8.04 repositories), but the video had a stupid "See more videos in HD!" overlay that wouldn't go away...
You may think this is just a joke, but when my second college roommate saw me using an unfamiliar operating system, he naturally started asking me about it. "What's it called?" "Red Hat Linux." "How much does it cost?" "Nothing, it's free." He freaked out: "Oh my God, how can that be legal? That could cost Microsoft so much in lost profits! That should really be illegal..."
The worst part? He was a business major, an honest-to-goodness PHB in training...
No. Not even remotely.
I respond with the "your web browser honors 50 billion different CAs by default, and getting an illicit certificate signed by a single one of them won't be difficult" card.