It wouldn't be trivial to pull off an attack on a self-signed SSL connection, but it's not hard. On a public wifi system (the scenario you're proposing) it's trivial to fake DNS responses faster than the real responder. The attacker then just presents a different self-signed certificate, using the same DN for the subject and the issuer as the target system. The fingerprint will be different, which may or may not trigger a warning, but the warning will be the same as it was when the self-signed cert was initially presented. This will fool 90% of the people 90% of the time.
If techie people want to secure their personal infrastructure, the solution is to operate their own CA, with appropriate precautions around the signing key, and install the root key for that into their personal systems. That's somewhat harder to attack. Somewhat. Other good things to do include "always VPN into some known better systems" and "use IPSec and/or DNSSEC on your resolver queries". Certificates are something of a last-ditch defence, though, because by the time your TCP connections are being terminated by the attack you've already lost quite a lot of assurance.
ISPs aren't seeking the power to disconnect or block; precisely the opposite. They are seeking judicial review of legislation that forces them to do it. They are not asking judges to block sites; they are demanding that in the event they are asked to block sites, each block must be done by a judge. Given that UK courts have recently handed the copyright holders the bill for the ACS:Law debacle and kicked the issue of whether or not an IP number identifies a downloader into the legal long grass (ie, anyone who wants to argue that it does is going to have to litigate it from scratch) I'd say the ISPs were on the customers side on this. The Labour government, in a horrible rush without proper scrutiny, passed bad and dangerous legislation. The courts are being asked to deem it unenforcible and effectively send it back for reconsideration in parliament (unlike the US, courts can't strike down legislation: they can, however, render the implementation impossible). How are the ISPs possibly the bad guys in this?
Firstly, the extra volume created for ISPs by iPads is close to zero: they're being used as extra devices in houses, and aren't capable of running any of the bandwidth-intensive P2P applications that (when they're pimping different things) ISPs and vendors are keen to tell us represent 90% of their volume.
Secondly, this is a vendor of DPI kit pushing applications for DPI. But it's a doomed endeavour. It would be impossible to split tariffing based on numbers of devices as the market would react with domestic proxies if NAT didn't provide enough aggregation. So the only way it could conceivably be done would be by inspecting packets at close quarters to see which application is being run. At which point the market would respond with encryption.
I've worked in IT continuously since graduating in 1986, I'd been using computers in various guises for ten years prior to that, and I'm now a post-graduate mature student. I've never used Windows for more than ten minutes at a time, and know nothing about it. Oh sure, I've architected multi-platform systems including windows, and managed staff, and procured equipment, and I know roughly how to plan an AD deployment and can even mutter about cross-domain trusts and group policies and update servers and when you need a CAL. But in terms of anything approximating providing desk-side support: nothing. No rebuilds, no installs. My desktop was SunOS/Solaris from 86 to about 2005, and Mac since then. My friends and family know that, so I never get asked.
The parents quite clearly can't see any problem with their children's behaviour, so presumably this is another case of bad parents making bad children. Which is a shame, but there's no reason why the school should have to put up with it. And Alesjandra is quite the moron, isn't she: she thinks that if she goes to another school she might start to make bad decisions. Has she looked in a mirror recently and considered how her recent decisions have gone?
And by the way, unlike I suspect a lot of slashdotters, I've got 12 year old children. If mine behaved like this, a lot of things would happen. But lawyering up and demanding my child's first amendment rights to call named people rapists wouldn't be one of them (because, aside from anything else, it isn't protected speech, and might indeed constitute fighting words). Oh, and isn't the minimum age for Facebook 13 anyway?
For the rest of their lives, Alejandra Sosa and William Lambert (that's Alejandra Sosa and William Lambert) of Chapel Hill can have the fame when Google'd for that they're the sort of fools who go around called people paedophiles. So that's a sort of retribution. And now everyone knows that their parents are the sort of lumpen "my child is always right" entitled types that lawyer up when their children are caught misbehaving. Not being American I have no idea what an "honor roll" student is, but it appears to encompass stupidity, illiteracy and bad parenting.
Aside from anything else, were I to learn that a child at my children's school was wont to make public accusations of paedophilia and rape of adults, while their parents stand behind them and support them, I wouldn't have those children in my house, and I would raise serious issues with the school governors about those children being present in any place where I had to go (for example, performance, concerts, parents' evenings). Children who behave like that are like loaded handguns, and until their parents can teach them some decent behaviour (rather than lawyering up for a payday), being around them is a serious risk to other adults.
For that testcase, my latency is (fractionally) worse over IPv6.
--- leguin.freenode.net ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 71.533/71.775/72.425/0.376 ms
--- leguin.freenode.net ping6 statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 81.079/81.913/83.537/0.881 ms
But more generally, I've seen cases where indeed it is lower.
In my case I have research interests in IPv6, so it's a testbed, and being able to see all my home network via a/64 is handy. But as breser says, I actually see comparable or better latency via HE as compared to via my own ISP.
Most of my substantial home machines run IPv6, as do my offsite machines, and I link them via Hurricane Electric tunnels. It's a mix of OSX 10.5 and 10.6, Solaris 10, Open Solaris and Solaris 11, with Apple basestations and such. It all "just works", to the point that once I got the DNS sorted out "ssh machine-in-next-room" goes via IPv6 by default, as does remote access to websites that offer IPv6 connectivity.
But I guess Apple and Solaris isn't a typical "home" network...
Actually, it wouldn't. You can normally write a computer program to mimic any human interaction within a browser. There are exceptions, but if content-providers were to move to (say) captchas in adverts prior to serving content, they would be writing their own death warrant: even if they didn't get killed by related providers who didn't impose this load, the simple (im) practicalities and (un) reliability of captchas would mean that far fewer people would read the page, unless it was utterly indispensable.
Ad-supported models are inherently brittle. They rely on advertisers being willing to purchase space, because they believe it to be worth their while. If consumers are unwilling to watch (and, indeed, act on) adverts, the magic money tree suddenly goes bare. No amount of howling that people who skip adverts are "stealing" content will put the fruit back on it. In the UK --- I don't know enough about the US --- the PVR has essentially killed one of the advertising-supported channels (ITV) to the point that its target demographic is now variously the old, poor and stupid who cannot manage a PVR. The smaller advertising-supported channels (ITV2/3/4, say) contain nothing but debt consolidation and personal injury shark adverts, and no-one with a post-16 education would find anything they might want to buy, even if they watched the adverts, which they don't. Unable to see their model is in a death spiral, the owners chase to the bottom, with programming aimed at the diminishing pool of viewers who are prepared to watch. The same is happening with Channel 5, while Channel 4 (which isn't directly ad-supported, but is indirectly ad-supported because as well as its own, small, advertising sales it is funded by a levy on ITV) has seen the writing on the wall and is desperately seeking funding as a top-slice on the BBC license income.
TV is progressively going subscription. Yes, some of the subscription channels also show adverts, but that's gravy, in the manner of adverts in cinemas, and they could live without it by just raising their subscriptions. It's only a matter of time before "free", advertising-supported, web content goes the same way. How are AOL these days?
But at 5% margin on a wholesale price of a few tens of dollars, you'd need everyone in the world to buy a new one every year to fund an $8bn/yr R&D habit.
American cars that I've driven have immense brake and accelerator pedals. European and Japanese cars in many cases have much smaller, especially as since most of them are sold predominantly as manuals with autos very much a secondary market. One can imagine that Audis come as something of a shock if you've bought one because they're high status and you've mostly driven Chevy cars before. I've driven a Prius, both the old and the new model, and like a lot of Japanese cars they have delicate and small controls (and the other cars I drive are European automatics, a Saab and a VW, so I'm well used to small pedals). It doesn't seem unreasonable to suspect that older Toyota drivers are more likely to have previously driven American cars than little European things best driven in slippers.
The giveaway with the Audi "unintended acceleration" shtick was that no such "epidemic" happened in Europe, and likewise there hasn't been the slightest trace of a problem with Toyotas. There's been a recall because of this business about a mechanical part in the accelerator pedal assembly, but there's no reported accidents caused by it. Conclusion? Old people used to cars with big pedals should be careful about buying little cars with small pedals.
They're alluding to equality of access (for example, subsidy to get penetration into rural areas at rates at least comparable to dense urban, and hosting on non-discriminatory basis to ensure freedom of --- in their case religious --- speech), rather than what Slashdotters mean by net neutrality.
There are no restocking fees in the UK. Return shipping is still payable, but may not be very much: small country, remember? You can send a parcel containing 2kg of stuff for £4.41, and a 750g packet, which is enough for most mobile phones in their packaging signed for at the other end, is £3.10. Most vendors swallow the shipping risk themselves.
You only need to type it once, right? Using as a key the output from "openssl rand -base64 9" will resist a million attempts per second brute force attack for on average 75 million years. Worried that's not enough of a safety margin? Worried someone might manage a million times faster attack? "openssl rand -base64 12" will resist a trillion attempts per second (10^12) for 1.25 billion years on average. Now, get on with the rest of your life.
The basic story is slightly hysterical.
Firstly, WPA2 does use a multiple-iteration key derivation function.
Secondly, even with the claimed performance, he can only "brute force" five or six characters, depending on the character set in use. It's enough performance to deal with dictionary words, because, indeed, it's a dictionary attack. But even at 400K password derivations per second (ie 400M SHA-1 hashes per second), eight random characters drawn from the 96 character printable ASCII repertoire are going to take 571 years to perform a brute force attack on, or an average time to success of 285 years. Don't like the odds? My home network uses 12 characters drawn from a 64 character set (ie base 64 encoding), which needs 374 million years (average 167 million) at that performance. Do I give a shit if that number gets reduced by a few orders of magnitude? Not really: I can always move to 15 characters...
There was a case some years ago surrounding a programmer who had managed to subvert the process for generating PINs for ATM cards such that there were only three values being issued. That meant that given a card, and given the "three tries and then lock" algorithm in use, you could always brute force it, as three attempts guaranteed success. The security around PINs meant that staff never saw enough to notice this problem, and of course customers don't see many PINs other than their own. It's written up in Ross Anderson's paper "Whither Cryptography", 1994.
You can "want" wide area comms all you like, but it's a niche market, and you're not willing to pay even your share of it, never mind the "customer one" startup costs. If there were lots of business applications, research could pay marginal costs or be carried pro bono and everyone would be happy, but the set of business (and, indeed, government) applications is small relative to the costs. And because satellite infrastructures are low bandwidth, if you piled enough people on to make the numbers stack up, the service would collapse: it has to be expensive in order to match demand to capacity. GSM and later 3G have eaten all the cost-effective niches, so what's left is the "will pay any price for bandwidth" market. Which you're not in: you want the bandwidth, but not at any price.
Unfortunately, the reason why you might want to not load images isn't stated in the preferences pane in question, so users at large probably don't realise that images are here being used for another purpose.
Slashdot Mirror
If techie people want to secure their personal infrastructure, the solution is to operate their own CA, with appropriate precautions around the signing key, and install the root key for that into their personal systems. That's somewhat harder to attack. Somewhat. Other good things to do include "always VPN into some known better systems" and "use IPSec and/or DNSSEC on your resolver queries". Certificates are something of a last-ditch defence, though, because by the time your TCP connections are being terminated by the attack you've already lost quite a lot of assurance.
ISPs aren't seeking the power to disconnect or block; precisely the opposite. They are seeking judicial review of legislation that forces them to do it. They are not asking judges to block sites; they are demanding that in the event they are asked to block sites, each block must be done by a judge. Given that UK courts have recently handed the copyright holders the bill for the ACS:Law debacle and kicked the issue of whether or not an IP number identifies a downloader into the legal long grass (ie, anyone who wants to argue that it does is going to have to litigate it from scratch) I'd say the ISPs were on the customers side on this. The Labour government, in a horrible rush without proper scrutiny, passed bad and dangerous legislation. The courts are being asked to deem it unenforcible and effectively send it back for reconsideration in parliament (unlike the US, courts can't strike down legislation: they can, however, render the implementation impossible). How are the ISPs possibly the bad guys in this?
Firstly, the extra volume created for ISPs by iPads is close to zero: they're being used as extra devices in houses, and aren't capable of running any of the bandwidth-intensive P2P applications that (when they're pimping different things) ISPs and vendors are keen to tell us represent 90% of their volume.
Secondly, this is a vendor of DPI kit pushing applications for DPI. But it's a doomed endeavour. It would be impossible to split tariffing based on numbers of devices as the market would react with domestic proxies if NAT didn't provide enough aggregation. So the only way it could conceivably be done would be by inspecting packets at close quarters to see which application is being run. At which point the market would respond with encryption.
I've worked in IT continuously since graduating in 1986, I'd been using computers in various guises for ten years prior to that, and I'm now a post-graduate mature student. I've never used Windows for more than ten minutes at a time, and know nothing about it. Oh sure, I've architected multi-platform systems including windows, and managed staff, and procured equipment, and I know roughly how to plan an AD deployment and can even mutter about cross-domain trusts and group policies and update servers and when you need a CAL. But in terms of anything approximating providing desk-side support: nothing. No rebuilds, no installs. My desktop was SunOS/Solaris from 86 to about 2005, and Mac since then. My friends and family know that, so I never get asked.
The parents quite clearly can't see any problem with their children's behaviour, so presumably this is another case of bad parents making bad children. Which is a shame, but there's no reason why the school should have to put up with it. And Alesjandra is quite the moron, isn't she: she thinks that if she goes to another school she might start to make bad decisions. Has she looked in a mirror recently and considered how her recent decisions have gone?
And by the way, unlike I suspect a lot of slashdotters, I've got 12 year old children. If mine behaved like this, a lot of things would happen. But lawyering up and demanding my child's first amendment rights to call named people rapists wouldn't be one of them (because, aside from anything else, it isn't protected speech, and might indeed constitute fighting words). Oh, and isn't the minimum age for Facebook 13 anyway?
Aside from anything else, were I to learn that a child at my children's school was wont to make public accusations of paedophilia and rape of adults, while their parents stand behind them and support them, I wouldn't have those children in my house, and I would raise serious issues with the school governors about those children being present in any place where I had to go (for example, performance, concerts, parents' evenings). Children who behave like that are like loaded handguns, and until their parents can teach them some decent behaviour (rather than lawyering up for a payday), being around them is a serious risk to other adults.
For that testcase, my latency is (fractionally) worse over IPv6.
--- leguin.freenode.net ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 71.533/71.775/72.425/0.376 ms
--- leguin.freenode.net ping6 statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 81.079/81.913/83.537/0.881 ms
But more generally, I've seen cases where indeed it is lower.
In my case I have research interests in IPv6, so it's a testbed, and being able to see all my home network via a /64 is handy. But as breser says, I actually see comparable or better latency via HE as compared to via my own ISP.
But I guess Apple and Solaris isn't a typical "home" network...
Ad-supported models are inherently brittle. They rely on advertisers being willing to purchase space, because they believe it to be worth their while. If consumers are unwilling to watch (and, indeed, act on) adverts, the magic money tree suddenly goes bare. No amount of howling that people who skip adverts are "stealing" content will put the fruit back on it. In the UK --- I don't know enough about the US --- the PVR has essentially killed one of the advertising-supported channels (ITV) to the point that its target demographic is now variously the old, poor and stupid who cannot manage a PVR. The smaller advertising-supported channels (ITV2/3/4, say) contain nothing but debt consolidation and personal injury shark adverts, and no-one with a post-16 education would find anything they might want to buy, even if they watched the adverts, which they don't. Unable to see their model is in a death spiral, the owners chase to the bottom, with programming aimed at the diminishing pool of viewers who are prepared to watch. The same is happening with Channel 5, while Channel 4 (which isn't directly ad-supported, but is indirectly ad-supported because as well as its own, small, advertising sales it is funded by a levy on ITV) has seen the writing on the wall and is desperately seeking funding as a top-slice on the BBC license income.
TV is progressively going subscription. Yes, some of the subscription channels also show adverts, but that's gravy, in the manner of adverts in cinemas, and they could live without it by just raising their subscriptions. It's only a matter of time before "free", advertising-supported, web content goes the same way. How are AOL these days?
Double summer time was also experimented with in the early 1970s. Some of us are old enough to remember this.
But at 5% margin on a wholesale price of a few tens of dollars, you'd need everyone in the world to buy a new one every year to fund an $8bn/yr R&D habit.
American cars that I've driven have immense brake and accelerator pedals. European and Japanese cars in many cases have much smaller, especially as since most of them are sold predominantly as manuals with autos very much a secondary market. One can imagine that Audis come as something of a shock if you've bought one because they're high status and you've mostly driven Chevy cars before. I've driven a Prius, both the old and the new model, and like a lot of Japanese cars they have delicate and small controls (and the other cars I drive are European automatics, a Saab and a VW, so I'm well used to small pedals). It doesn't seem unreasonable to suspect that older Toyota drivers are more likely to have previously driven American cars than little European things best driven in slippers. The giveaway with the Audi "unintended acceleration" shtick was that no such "epidemic" happened in Europe, and likewise there hasn't been the slightest trace of a problem with Toyotas. There's been a recall because of this business about a mechanical part in the accelerator pedal assembly, but there's no reported accidents caused by it. Conclusion? Old people used to cars with big pedals should be careful about buying little cars with small pedals.
They're alluding to equality of access (for example, subsidy to get penetration into rural areas at rates at least comparable to dense urban, and hosting on non-discriminatory basis to ensure freedom of --- in their case religious --- speech), rather than what Slashdotters mean by net neutrality.
There are no restocking fees in the UK. Return shipping is still payable, but may not be very much: small country, remember? You can send a parcel containing 2kg of stuff for £4.41, and a 750g packet, which is enough for most mobile phones in their packaging signed for at the other end, is £3.10. Most vendors swallow the shipping risk themselves.
You only need to type it once, right? Using as a key the output from "openssl rand -base64 9" will resist a million attempts per second brute force attack for on average 75 million years. Worried that's not enough of a safety margin? Worried someone might manage a million times faster attack? "openssl rand -base64 12" will resist a trillion attempts per second (10^12) for 1.25 billion years on average. Now, get on with the rest of your life.
The basic story is slightly hysterical. Firstly, WPA2 does use a multiple-iteration key derivation function. Secondly, even with the claimed performance, he can only "brute force" five or six characters, depending on the character set in use. It's enough performance to deal with dictionary words, because, indeed, it's a dictionary attack. But even at 400K password derivations per second (ie 400M SHA-1 hashes per second), eight random characters drawn from the 96 character printable ASCII repertoire are going to take 571 years to perform a brute force attack on, or an average time to success of 285 years. Don't like the odds? My home network uses 12 characters drawn from a 64 character set (ie base 64 encoding), which needs 374 million years (average 167 million) at that performance. Do I give a shit if that number gets reduced by a few orders of magnitude? Not really: I can always move to 15 characters...
When people say that Facebook will last forever, let me say just two letters. CB.
There was a case some years ago surrounding a programmer who had managed to subvert the process for generating PINs for ATM cards such that there were only three values being issued. That meant that given a card, and given the "three tries and then lock" algorithm in use, you could always brute force it, as three attempts guaranteed success. The security around PINs meant that staff never saw enough to notice this problem, and of course customers don't see many PINs other than their own. It's written up in Ross Anderson's paper "Whither Cryptography", 1994.
How did "open source is audited by all" work out of Debian's changes to OpenSSL? Badly, I think. http://www.links.org?p=328
You can "want" wide area comms all you like, but it's a niche market, and you're not willing to pay even your share of it, never mind the "customer one" startup costs. If there were lots of business applications, research could pay marginal costs or be carried pro bono and everyone would be happy, but the set of business (and, indeed, government) applications is small relative to the costs. And because satellite infrastructures are low bandwidth, if you piled enough people on to make the numbers stack up, the service would collapse: it has to be expensive in order to match demand to capacity. GSM and later 3G have eaten all the cost-effective niches, so what's left is the "will pay any price for bandwidth" market. Which you're not in: you want the bandwidth, but not at any price.
Of course, the technique of using an image-load as a beacon to indicate message receipt would potentially work even if everyone encrypted everything.
Unfortunately, the reason why you might want to not load images isn't stated in the preferences pane in question, so users at large probably don't realise that images are here being used for another purpose.
Irrespective of whether they want to be reached, usually.