I run sites with no commercial CA. I run my own CA. It is very easy to do with openssl. The key is that the sites are used by limited clients. They are the clients own web sites used by their employees and B2B customers. Man-in-the-middle protection is essential - but the commercial CA is unnecessary. The private CA cert is distributed by other means (e.g. CD) and preloaded in the browser.
The above approach is "self signed" in the "do it yourself sense". But I think people are talking about "self-signed" in the "not signed by anyone" sense which is implemented in SSL by signing a cert with itself. Unsigned ("self-signed") SSL certs are for testing only. There is no reason not to sign your sites. Would you provide your own RPM repository over the internet, and not bother to sign the packages? Use your own CA if you don't want to pay a commercial one.
If the general public will be using your site, and you *still* don't want to pay a commercial CA, then use http://cacert.org./ Your visitors will have to install the cacert.org CA cert first, but that is better than having to preload your CA cert and trusting you to sign *any* site.
And that is the weakness with SSL. Once you load a CA cert, you trust it to authenticate *any* website (separate policies available for email). In a less monopolistic world, any cert I download from momandpop.com, would be trusted to authenticate *.momandpop.com - but nothing else. (There is still the risk of man in the middle on first contact.) I would still trust certs from the likes of Verisign to "authenticate" total strangers (as in they had a valid credit card and controlled the sites DNS at the time of application).
Furthermore, I might want to *reduce* trust in one of the default CA certs - perhaps after reading about some scandal on slashdot. I can delete a CA, but not reduce trust. It is all or nothing.
TFA mentions that "you need to be logged in to facebook for the attack to work". So an evil applet that JRE thinks came from facebook would indeed be able to do things on facebook as the logged in user.
The mime type says "GIF", but if it looks executable, try to run it anyway. Or maybe it is just Windows. TFA didn't mention which software does this (other than "the browser"). At one point they blame Sun. Huh? Does the GIF have an applet tag? Or does this attack involve running a malicious applet at evil.com, which then loads a JAR from facebook.com (which was uploaded as a GIF) and the JRE runs it as if it came from facebook. *That* would be a Sun problem (and not a "browser" problem).
Actually, there are temporary vacations from Thermodynamics happening all the time at the nano-scale level. The "laws" of thermodynamics are "laws" of averages over astronomical (standard units being 6.023x10^23 molecules) numbers. There is no law that says your room temperature glass of water can't suddenly begin to boil while sporting ice cubes. It is just astronomically improbable (but not improbable enough to power a starship). For that matter, resurrection from the dead is not impossible - just astronomically improbable (the same can be said for abiogenesis).
1. Checkout with "co -l $1" (RCS - has the advantage of no setup required) or your favorite SCCS 2. "vim $1" (or your favorite editor) 3. "rscdiff $1 (to check for changes) 4. "ci $1" (to check in and ask for description)
The classic Christian doctrine is "inspiration" - "Holy men of God spake as they were moved by the Holy Ghost". The documents were written, and the words chosen by men, with the individual personalities showing in full force - but the inspiration and endorsement was from God. The "divine dictation" idea that someone sat with a pen and wrote exactly what God dictated is cultic - although *some* divine dictation is contained within prophetic books. Even Mormons only believe in divine dictation as a miraculous means of restoring a lost manuscript. ("All copies are lost? No problem, I'll let you copy a vision of one.")
"rewritten over and over": The 5000+ extant manuscripts of the NT have only minor variations. The OT books were copies virtually error free thanks to clever checksum schemes used by the scribes. Since the variations in NT books are transcription errors (not "rewriting"), they form a tree, like genetic mutations. And you can trace down to the root and get a pretty good idea of the original.
I'm not disputing whether the US has "blood on its hands". But being perfectly innocent does *not* protect you from things like 9/11, or worse (see Sudan). In fact, the bullies of the world prefer helpless victims to ones that might fight back. If you are strong, you can either be a bully, or you can use your strength to protect those weaker than you from bullies. Of course, then there are complications like the guy you are protecting being lazy and not taking basic realistic steps for self-defense.
As a super power, the US is going to have a huge effect on other nations, intentional or not. The question to ask is, are we going to be a bully, or a watchman on the wall (or just retreat to our resource consuming paneled house and ignore the riff raff)?
opendns.com does the very mangling I want to avoid and calls it a feature. At least they tell you they are doing it, and use it for stuff that could benefit end users (filtering allowed site names) as well as their own advertising. But it doesn't solve the problem. It is just a more "open" and up front version of the problem.
They clearly explain that they mangle your DNS requests, and this makes their service "smart". Unfortunately, they do not explain some of the negative ramifications of this. However, their service is targeted to "end-users". Presumably, an email provider would use their own DNS server on a real OS (I do).
I got tired of dealing with braindead or deliberately poisoned DNS servers at ISPs a long time ago. Run your own. It is trivial in linux (install caching-nameserver in EL/Fedora), and I assume OSX. I suspect even Windows has an open source named you could run.
Ekiga works fine through NAT routers and firewalls - if you use their proxy service. Their proxy service is free as in beer for connecting to other SIP phones. However, you pay to connect to the POTS network. I suspect that at some point when VOIP overtakes POTS, that proxy service will be paid in all cases.
You are free to use other vendors for your proxy (albeit the configuration wizard makes configuring for ekiga.com trivial and others less so). To use it independently without a proxy, you do need a routeable IP. I have no problem with their proxy service. Paying for actual service is entirely consistent with the open source philosophy.
Imagine buying a car that refused to tell you what kind of fuel it needs. Instead, you buy the proprietary fuel supplied by the maker. Sure, some garage chemists have done their best to reverse engineer the stuff, and can give you the recipe for a serviceable substitute. But you should be able to buy a car that uses a standard fuel type (or types), like regular, premium, diesel, kerosene, jet fuel, methanol, ethanol, etc, and buy compatible fuel from multiple vendors. Keeping the fuel specs secret is just a lock-in technique, and restricts the buyers freedom to use his vehicle.
In all those cases, a full and honest disclosure is more than sufficient to vitiate any potential harm.
That is exactly what is missing - especially in the case of DRM. People do *not* understand the limitations of what they are buying, because the vendor is misleading and dishonest. The people shafted when their NFL videos became unplayable with no refund, or their Microsoft video store purchases, or... have no clue what happened or why. In their mind it was simply a defective product.
And in practical terms, they are exactly right - which is why "Defective by Design" is a good anti-DRM slogan.
If your cheap laptop came with a crappy Broadcom card, then spend $40 on a USB dongle or pcmcia card with an open source friendly chipset. In most cases, you can buy a mini-PCI card to replace the Broadcom junk and be just as convenient (no extra dongles). You can even use the open source Broadcom driver - which is more stable than the Windows driver (but doesn't have the same range).
A specific recommendation is anything with the zd1211rw chipset. Of course a retail box that actually lists the chipset in the specs is a rare find - but that is just another aspect of how proprietary software takes away your freedom.
You are quite right concerning "free beer". Of course software authors need to make a living, and directly paying them or their employer is a valid way to accomplish that. But the discussion is about "libre", the four freedoms that users of software should have (although I would pick a different 4 freedoms for end users than Stallman - freedom from DRM is important for an end user, freedom to change the code is not, but freedom to use the code in unanticipated ways is).
Imagine a world in which Skype almost completely replaces POTS, and only closed Skype software can connect to another Skype client because of proprietary twists to the protocol. Sound familiar?
The game console is not advertised as a general purpose device. It is sold as playing games offered by the company and approved 3rd party software vendors. In the same vein, binary blob firmware is not a problem for software freedom purists. The code does not run in the general purpose CPU, it simply a low cost replacement for a ROM in the hardware. In fact, the binary blob does not have to be traditional "code" - it could just as easily be the connection list for a FPGA.
What is a problem is binary kernel drivers like Nvidia and Broadcom. There is a reverse engineered open source driver for Broadcom that doesn't crash all the time like the Windows driver. It still uses the binary blobs, however (that the end user has to extract from the Windows driver).
Skype is a problem - what's wrong with Ekiga? Our office just uses hardware ATAs and VOIP phones that don't pretend to be general purpose. A more uncomfortable case is NXclient. The protocol is documented and can be implemented, and there is a fine open source NX server (freenx), but the open clients aren't as ready for prime time. I ended up installing the nomachine free beer NX client for my Dad.
Don't forget the "War" on drugs and child pornography. Police can confiscate the property of anyone they suspect of a drug crime. No substantial evidence (habeas corpus) required. It is called the "war" on drugs to justify this lowered standard of evidence, since a similar lowering of the standard has taken place in wartime since Abraham Lincoln.
Anyone accused of child pornography is automatically a pariah, and remains on sex offender lists (not necessarily government endorsed ones), even when the accusation is proved to be baseless. "It is the serious charge. A serious charge indeed." Since real child pornography today often involves downloads via the internet, it is very easy for a sexual predator to use your home internet connection while you are out of the country, and clueless officials blame you for it. You lose your job, marriage prospects, and social life for the rest of your life.
Now the RIAA is using the same suspension of habeas corpus, without even the pretension of "war". Or maybe that is why they insist on calling copyright violators (real or imagined) "pirates".
Unless you have space for infinite backups, his method is write. At some point, you'll run out of space and have to delete old backups to make room for the new ones.
Yes, but you probably shouldn't delete the actual *oldest*. Backups should get sparser the older they get, but you should still have some ancient ones for precisely this reason (and others). The standard human algorithm is everyday for a week, every week for a month, every month for a year, every year for a decade. Storage for last decades backup is generally trivial.
The self-support model that is required for a zero-price Linux distro is often not acceptable in a corporate environment (unless they have internal IT that can provide the support). Which is why Red Hat Linux (and Suse and Oracle) continue to sell despite the existence of Centos. The best part is - while the price is non-zero (and generally too hefty for home use), the freedom is still included.
However, MS was one of the biggest JAVA proponents, even integrating the VM in their OS as soon as possible. So what did Sun gain in fighting over a 'technical' issue with the Windows VM version? It gained a Java standard that continued to be write-once run anywhere (modulo platform bugs). Windows specific extensions are fine, and welcome, in a cross platform standard - provided they are *not* in the core libraries. Sun's mistake, like so many others, was trusting Microsoft..NET is not and never will be cross platform (no, mono doesn't cut it, and if it ever does, MS will kill it). It will likely help Microsoft support different CPUs (running Windows), however.
There are other cross-platform approaches with different advantages and drawbacks (like QT). But I am glad that Java has remained a contender.
Slashdot Mirror
I run sites with no commercial CA. I run my own CA. It is very easy to do with openssl. The key is that the sites are used by limited clients. They are the clients own web sites used by their employees and B2B customers. Man-in-the-middle protection is essential - but the commercial CA is unnecessary. The private CA cert is distributed by other means (e.g. CD) and preloaded in the browser.
The above approach is "self signed" in the "do it yourself sense". But I think people are talking about "self-signed" in the "not signed by anyone" sense which is implemented in SSL by signing a cert with itself. Unsigned ("self-signed") SSL certs are for testing only. There is no reason not to sign your sites. Would you provide your own RPM repository over the internet, and not bother to sign the packages? Use your own CA if you don't want to pay a commercial one.
If the general public will be using your site, and you *still* don't want to pay a commercial CA, then use http://cacert.org./ Your visitors will have to install the cacert.org CA cert first, but that is better than having to preload your CA cert and trusting you to sign *any* site.
And that is the weakness with SSL. Once you load a CA cert, you trust it to authenticate *any* website (separate policies available for email). In a less monopolistic world, any cert I download from momandpop.com, would be trusted to authenticate *.momandpop.com - but nothing else. (There is still the risk of man in the middle on first contact.) I would still trust certs from the likes of Verisign to "authenticate" total strangers (as in they had a valid credit card and controlled the sites DNS at the time of application).
Furthermore, I might want to *reduce* trust in one of the default CA certs - perhaps after reading about some scandal on slashdot. I can delete a CA, but not reduce trust. It is all or nothing.
TFA mentions that "you need to be logged in to facebook for the attack to work". So an evil applet that JRE thinks came from facebook would indeed be able to do things on facebook as the logged in user.
The mime type says "GIF", but if it looks executable, try to run it anyway. Or maybe it is just Windows. TFA didn't mention which software does this (other than "the browser"). At one point they blame Sun. Huh? Does the GIF have an applet tag? Or does this attack involve running a malicious applet at evil.com, which then loads a JAR from facebook.com (which was uploaded as a GIF) and the JRE runs it as if it came from facebook. *That* would be a Sun problem (and not a "browser" problem).
for the 90 day holiday to apply to each car independently. *Obviously* you don't want everything going on gravity vacation at once.
Actually, there are temporary vacations from Thermodynamics happening all the time at the nano-scale level. The "laws" of thermodynamics are "laws" of averages over astronomical (standard units being 6.023x10^23 molecules) numbers. There is no law that says your room temperature glass of water can't suddenly begin to boil while sporting ice cubes. It is just astronomically improbable (but not improbable enough to power a starship). For that matter, resurrection from the dead is not impossible - just astronomically improbable (the same can be said for abiogenesis).
1. Checkout with "co -l $1" (RCS - has the advantage of no setup required) or your favorite SCCS
2. "vim $1" (or your favorite editor)
3. "rscdiff $1 (to check for changes)
4. "ci $1" (to check in and ask for description)
The classic Christian doctrine is "inspiration" - "Holy men of God spake as they were moved by the Holy Ghost". The documents were written, and the words chosen by men, with the individual personalities showing in full force - but the inspiration and endorsement was from God. The "divine dictation" idea that someone sat with a pen and wrote exactly what God dictated is cultic - although *some* divine dictation is contained within prophetic books. Even Mormons only believe in divine dictation as a miraculous means of restoring a lost manuscript. ("All copies are lost? No problem, I'll let you copy a vision of one.")
"rewritten over and over": The 5000+ extant manuscripts of the NT have only minor variations. The OT books were copies virtually error free thanks to clever checksum schemes used by the scribes. Since the variations in NT books are transcription errors (not "rewriting"), they form a tree, like genetic mutations. And you can trace down to the root and get a pretty good idea of the original.
I'm not disputing whether the US has "blood on its hands". But being perfectly innocent does *not* protect you from things like 9/11, or worse (see Sudan). In fact, the bullies of the world prefer helpless victims to ones that might fight back. If you are strong, you can either be a bully, or you can use your strength to protect those weaker than you from bullies. Of course, then there are complications like the guy you are protecting being lazy and not taking basic realistic steps for self-defense.
As a super power, the US is going to have a huge effect on other nations, intentional or not. The question to ask is, are we going to be a bully, or a watchman on the wall (or just retreat to our resource consuming paneled house and ignore the riff raff)?
About 6 months after the kitchen sink.
opendns.com does the very mangling I want to avoid and calls it a feature. At least they tell you they are doing it, and use it for stuff that could benefit end users (filtering allowed site names) as well as their own advertising. But it doesn't solve the problem. It is just a more "open" and up front version of the problem.
They clearly explain that they mangle your DNS requests, and this makes their service "smart". Unfortunately, they do not explain some of the negative ramifications of this. However, their service is targeted to "end-users". Presumably, an email provider would use their own DNS server on a real OS (I do).
I got tired of dealing with braindead or deliberately poisoned DNS servers at ISPs a long time ago. Run your own. It is trivial in linux (install caching-nameserver in EL/Fedora), and I assume OSX. I suspect even Windows has an open source named you could run.
Ekiga works fine through NAT routers and firewalls - if you use their proxy service. Their proxy service is free as in beer for connecting to other SIP phones. However, you pay to connect to the POTS network. I suspect that at some point when VOIP overtakes POTS, that proxy service will be paid in all cases.
You are free to use other vendors for your proxy (albeit the configuration wizard makes configuring for ekiga.com trivial and others less so). To use it independently without a proxy, you do need a routeable IP. I have no problem with their proxy service. Paying for actual service is entirely consistent with the open source philosophy.
Imagine buying a car that refused to tell you what kind of fuel it needs. Instead, you buy the proprietary fuel supplied by the maker. Sure, some garage chemists have done their best to reverse engineer the stuff, and can give you the recipe for a serviceable substitute. But you should be able to buy a car that uses a standard fuel type (or types), like regular, premium, diesel, kerosene, jet fuel, methanol, ethanol, etc, and buy compatible fuel from multiple vendors. Keeping the fuel specs secret is just a lock-in technique, and restricts the buyers freedom to use his vehicle.
In all those cases, a full and honest disclosure is more than sufficient to vitiate any potential harm.
That is exactly what is missing - especially in the case of DRM. People do *not* understand the limitations of what they are buying, because the vendor is misleading and dishonest. The people shafted when their NFL videos became unplayable with no refund, or their Microsoft video store purchases, or ... have no clue what happened or why. In their mind it was simply a defective product.
And in practical terms, they are exactly right - which is why "Defective by Design" is a good anti-DRM slogan.
If your cheap laptop came with a crappy Broadcom card, then spend $40 on a USB dongle or pcmcia card with an open source friendly chipset. In most cases, you can buy a mini-PCI card to replace the Broadcom junk and be just as convenient (no extra dongles). You can even use the open source Broadcom driver - which is more stable than the Windows driver (but doesn't have the same range).
A specific recommendation is anything with the zd1211rw chipset. Of course a retail box that actually lists the chipset in the specs is a rare find - but that is just another aspect of how proprietary software takes away your freedom.
You are quite right concerning "free beer". Of course software authors need to make a living, and directly paying them or their employer is a valid way to accomplish that. But the discussion is about "libre", the four freedoms that users of software should have (although I would pick a different 4 freedoms for end users than Stallman - freedom from DRM is important for an end user, freedom to change the code is not, but freedom to use the code in unanticipated ways is).
Imagine a world in which Skype almost completely replaces POTS, and only closed Skype software can connect to another Skype client because of proprietary twists to the protocol. Sound familiar?
The game console is not advertised as a general purpose device. It is sold as playing games offered by the company and approved 3rd party software vendors. In the same vein, binary blob firmware is not a problem for software freedom purists. The code does not run in the general purpose CPU, it simply a low cost replacement for a ROM in the hardware. In fact, the binary blob does not have to be traditional "code" - it could just as easily be the connection list for a FPGA.
What is a problem is binary kernel drivers like Nvidia and Broadcom. There is a reverse engineered open source driver for Broadcom that doesn't crash all the time like the Windows driver. It still uses the binary blobs, however (that the end user has to extract from the Windows driver).
Skype is a problem - what's wrong with Ekiga? Our office just uses hardware ATAs and VOIP phones that don't pretend to be general purpose. A more uncomfortable case is NXclient. The protocol is documented and can be implemented, and there is a fine open source NX server (freenx), but the open clients aren't as ready for prime time. I ended up installing the nomachine free beer NX client for my Dad.
you would need [space] Craft Net to confirm it.
Make sure you contribute at least some of your time to open source projects. That you can show.
Don't forget the "War" on drugs and child pornography. Police can confiscate the property of anyone they suspect of a drug crime. No substantial evidence (habeas corpus) required. It is called the "war" on drugs to justify this lowered standard of evidence, since a similar lowering of the standard has taken place in wartime since Abraham Lincoln.
Anyone accused of child pornography is automatically a pariah, and remains on sex offender lists (not necessarily government endorsed ones), even when the accusation is proved to be baseless. "It is the serious charge. A serious charge indeed." Since real child pornography today often involves downloads via the internet, it is very easy for a sexual predator to use your home internet connection while you are out of the country, and clueless officials blame you for it. You lose your job, marriage prospects, and social life for the rest of your life.
Now the RIAA is using the same suspension of habeas corpus, without even the pretension of "war". Or maybe that is why they insist on calling copyright violators (real or imagined) "pirates".
Break down by specialty:
http://www.petitionproject.org/gwdatabase/GWPP/Qualifications_Of_Signers.html
Only 40 "climatologists", but 3000+ in highly relevant fields.
Unless you have space for infinite backups, his method is write. At some point, you'll run out of space and have to delete old backups to make room for the new ones.
Yes, but you probably shouldn't delete the actual *oldest*. Backups should get sparser the older they get, but you should still have some ancient ones for precisely this reason (and others). The standard human algorithm is everyday for a week, every week for a month, every month for a year, every year for a decade. Storage for last decades backup is generally trivial.The self-support model that is required for a zero-price Linux distro is often not acceptable in a corporate environment (unless they have internal IT that can provide the support). Which is why Red Hat Linux (and Suse and Oracle) continue to sell despite the existence of Centos. The best part is - while the price is non-zero (and generally too hefty for home use), the freedom is still included.
However, MS was one of the biggest JAVA proponents, even integrating the VM in their OS as soon as possible. So what did Sun gain in fighting over a 'technical' issue with the Windows VM version? It gained a Java standard that continued to be write-once run anywhere (modulo platform bugs). Windows specific extensions are fine, and welcome, in a cross platform standard - provided they are *not* in the core libraries. Sun's mistake, like so many others, was trusting Microsoft.
There are other cross-platform approaches with different advantages and drawbacks (like QT). But I am glad that Java has remained a contender.