so wait, you are unhappy that we can setup our own OS on that thing? And to fix that, you are proposing to *restrict* the software you can run on it so that you can't modify it... that doesn't keep cisco routers from getting owned, or any other proprietary device from getting hacked, as far as i know.
there are litterally millions of home routers that run a "limited set of well documented functions" that are regularly abused for DDOS attacks to a complete port scan of the entire internet. and there are hundreds of people trying to fix those machines in various ways, either by reverse-engineering the hardware and installing free software on it or by just fixing the proprietary crap that's shipped with those. at least this machine starts on the right foot: it ships with free software and allows you to run your own.
any machine comes with its own foot shooting device, whether it is its openness or the false feeling of security that it's fine black box that will never fail and never need to be upgraded.
not understanding and not being able to fix a device isn't a advantage in security, i thought we agreed on that...
Actually, that last part (politicians were systematically spied on and investigated) is one of the key plot elements of the novel "The Circle" by Dave Eggers - except everyone is spied on there...
* OpenSMTPd - can't have too many solid mail servers out there * OpenSSH 6.2 - new crypto algorithms and other goodies * pf improvements - sloppy state tracking for ICMP * relayd and OpenBGPd improvements
now the question is: how long until those trickle down to sister projects like FreeBSD or Debian/kFreeBSD?
one thing with the recent developments in Debian is that once Wheezy is released, we'll start working hard on the next release, Jessie. And while unstable may finally be unstable for a little while after the release (while people upload a bunch of new packages), I have had a lot of success running wheezy while it was in testing in the last two years. I suggest that people interested in the "latest and greatest" install wheezy, then upgrade to jessie (testing) when it stabilises a bit after the release.
Contributing to OSM is not hard. It's like a wiki, you register and you can edit everything. Even if your neighborhood is mapped, you can still work on adding amenities like restaurants, parking spots, post boxes and all the stuff a person that doesn't know the neighborhood would find useful. I personally keep business cards of the good restaurants i visit and post them on OSM regularly.
If you use flash, there's a web-builtin editor called Potlach that's really good. If not, you use jOSM that's shipped with all major distributions and which is also very good (my favorite, even if Java</troll>).
The game changer here is that US cell phone companies have finally figured out that 4 layers of NAT isn't exactly a great way to manage a growing network, and are switching to IPv6 for their 4G networks. That is millions of customers right there, using IPv6 without even knowing about it.
Pieces are falling into place, it's just a matter of time now. And if you lobby your ISP instead of complaining about it, you may get it native too soon enough.
BTW: for those worried about the switch, let me just mention that both ipv6.google.com and www.kame.net (common test IPv6 addresses) are reachable in *less* latency and *less* hops than their ipv4 counterparts. IPv6 rocks.
I did the inventory of my 500+ book collection here and while it took a few days, the upkeep is minimal, and gcstar allows me to also keep track of people I lend the book to. The interface is awful, but it does connect to Amazon and so on to get book details, including cover pictures, if you have an ISBN. If you don't, then it's likely that Amazon doesn't carry it and you'll have to enter the details by hand anyways, but that's still fairly easy.
I do not label the books with stickers, RFID or bar codes of any kind. I simply rely on the book name for reference, and since I have very few duplicate books, this usually works. Duplicates can usually be told apart by printing dates or something similar. The library itself is physically arranged by loosely defined categories - I did *not* bother with Dewey.
I have written a complete article about this that may be useful to you. You may also want to contribute to that wiki page which compares different software offering.
They don't need root access, but in a way, you are giving them the right to run any code on your machine if you accept the updates coming in without review. As we have learned throughout the Microsoft Windows, Apple iTunes and others updates, the upstream can ship software that users sometimes disagree with and while it's not equivalent of giving them "root", it does mean that, once you accept the update, code you don't like will run on your computer.
There are of course alternatives: switching operating systems, refusing updates or removing the malicious software, all three which have been suggested elsewhere in the discussions here.
I beg to differ, and request that you explain what "begging the question" is, since I obviously seem to misunderstand it. On the site which I refer to, they define it as:
You presented a circular argument in which the conclusion was included in the premise.
This logically incoherent argument often arises in situations where people have an assumption that is very ingrained, and therefore taken in their minds as a given. Circular reasoning is bad mostly because it's not very good.
Example: The word of Zorbo the Great is flawless and perfect. We know this because it says so in The Great and Infallible Book of Zorbo's Best and Most Truest Things that are Definitely True and Should Not Ever Be Questioned.
I definitely see a parallel in the above explanation and the reasoning behind the "we have root" argument.
Say the question is: "why should we trust Canonical or Ubuntu to have a peek at our personal search results?" The answer from Shuttleworth seems to be, "because we have root, it means you trust us". In other words, the response to the question of trust is trust, posed as a premise.
Also, the additional argument you are describing, we can summarize as "you can trust us with X because you trust us with X-1", which may be better presented as a slippery slope fallacy.
Then again, you are accusing me of misunderstanding logical fallacies, something at which I cannot respond to other than asking you to clarify how I misunderstand, or explain your accusation as a poorly articulated ad hominem attack, as opposed as demonstrating my argument as wrong.
I understand that point. The issue I see with it is that it is taken as an argument to justify what I consider to be a privacy issue. Saying "you should trust us with our data" needs a commitment, a show of *ethics* that actually makes us believe and understand they will be careful with it. Instead, we are presented with "well, you should trust us because... you already trust us, because we are root". It's a fallacy, more specifically begging the question.
I could also construe the whole intervention of Shuttleworth as an appeal to authority, but that would be pushing it a little since, as I said, the Benevolent Dictator doesn't even *need* to appeal to a higher authority. He is, in effect, your root and overlord, and is asserting his power without any shame or guilt. Whee. Also, to be fair, he is making a point that they should think about their responsibilities as admins of all those machines, I just happen to disagree with the path they are taking.
Apart from what's already been mentioned here, one bit particularly troubles me:
We are not telling Amazon what you are searching for. Your anonymity is preserved because we handle the query on your behalf. Don’t trust us? Erm, we have root. You do trust us with your data already.
I don't equate having root with having people's data, personally. I happen to adhere to a Ethics Code (SAGE's) that *keeps* me from peeking over people's personal data, *especially* for my own interests. Adding a snitch that report back not only the machine's existence (you get that through APT automated updates) but also personal search requests to Canonical headquarters by default does seem like a major privacy breach.
That the dictator of Ubuntu and Canonical brushes his responsibilities aside like this is downright scary if you ask me, especially given the argument is "we have root, we 0wn you already, sorry bud".
Good article, quite interesting to see the problems a community is faced when going through standards processes.
Our standards making process is broken beyond repair. This outcome is the direct result of the nature of the IETF, and the particular personalities overseeing this work. To be clear, these are not bad or incompetent individuals. On the contrary – they are all very capable, bright, and otherwise pleasant. But most of them show up to serve their corporate overlords, and it’s practically impossible for the rest of us to compete. Bringing OAuth to the IETF was a huge mistake.
That is a worrisome situation. With the internet openness being so much based on open standards, the idea that the corporate world is taking over standards and sabotaging them to fulfill their own selfish interests is quite problematic, to say the least.
As for the actual concerns he is raising about OAuth 2.0, this one is particularly striking:
Bearer tokens - 2.0 got rid of all signatures and cryptography at the protocol level. Instead it relies solely on TLS. This means that 2.0 tokens are inherently less secure as specified. Any improvement in token security requires additional specifications and as the current proposals demonstrate, the group is solely focused on enterprise use cases.
I don't know much about oauth, but this sounds like a stupid move.
I have been keeping an eye on this project for a while. To quote their description: "SFLvault is a Networked credentials store and authentication manager. It has a client/vault (server) architecture allowing to cryptographically store and organise loads of passwords for different machines and services."
The design seems sound, and it is a server/client model which seem to fit well your "multi-user" requirement, which isn't fulfilled by any other password manager that I know of. It can also automagically log you into different services like SSH, MySQL or sudo and can do multi-hop.
The only issue I have found so far is that installing the server component is a bit of a pain (ie. no Debian package, as opposed to the client side)... but i guess this really depends on the "Linux" environment you are using...
I have been maintaining a list of FLOSS password managers in our public wiki for a while, any suggestions not mentionned there are welcome.
I was also a bit surprised to see basic stuff and some repetition in the article there, but trick #3 was really nice for me: ssh-keygen -R remote-hostname
This will remove the entry for remote-hostname in the known_hosts file, for example if you know the key changed or (don't do that) if you think you're in a MITM attack and don't care.
now that will fix many countless fiddling around the known_hosts file...
Slashdot Mirror
so wait, you are unhappy that we can setup our own OS on that thing? And to fix that, you are proposing to *restrict* the software you can run on it so that you can't modify it... that doesn't keep cisco routers from getting owned, or any other proprietary device from getting hacked, as far as i know.
there are litterally millions of home routers that run a "limited set of well documented functions" that are regularly abused for DDOS attacks to a complete port scan of the entire internet. and there are hundreds of people trying to fix those machines in various ways, either by reverse-engineering the hardware and installing free software on it or by just fixing the proprietary crap that's shipped with those. at least this machine starts on the right foot: it ships with free software and allows you to run your own.
any machine comes with its own foot shooting device, whether it is its openness or the false feeling of security that it's fine black box that will never fail and never need to be upgraded.
not understanding and not being able to fix a device isn't a advantage in security, i thought we agreed on that...
so maybe it's just google profiling me, but "tmux versus screen" doesn't yield any interesting results.
in fact, it lead me back here.
what *are* the so great things about tmux that should make me give up a ~20 year old habit?
Here's a communique from SaravÃ:
https://www.sarava.org/en/node...
i see the cool hyperkitty demo at fedora, but what about postorious? what does it look like?
it would be great if the overly confusing interface of mailman would be simplified...
Actually, that last part (politicians were systematically spied on and investigated) is one of the key plot elements of the novel "The Circle" by Dave Eggers - except everyone is spied on there...
That's why.
My favorite improvements:
* OpenSMTPd - can't have too many solid mail servers out there
* OpenSSH 6.2 - new crypto algorithms and other goodies
* pf improvements - sloppy state tracking for ICMP
* relayd and OpenBGPd improvements
now the question is: how long until those trickle down to sister projects like FreeBSD or Debian/kFreeBSD?
one thing with the recent developments in Debian is that once Wheezy is released, we'll start working hard on the next release, Jessie. And while unstable may finally be unstable for a little while after the release (while people upload a bunch of new packages), I have had a lot of success running wheezy while it was in testing in the last two years. I suggest that people interested in the "latest and greatest" install wheezy, then upgrade to jessie (testing) when it stabilises a bit after the release.
That's what I will do anyways. :)
and there's a followup now that validates what you're saying pretty clearly..
https://rdns.im/the-pirate-bay-north-korean-hosting-no-its-fake-p2
quite interesting read!
Here's a word from another friend of Aaron: http://lessig.tumblr.com/post/40347463044/prosecutor-as-bully
Contributing to OSM is not hard. It's like a wiki, you register and you can edit everything. Even if your neighborhood is mapped, you can still work on adding amenities like restaurants, parking spots, post boxes and all the stuff a person that doesn't know the neighborhood would find useful. I personally keep business cards of the good restaurants i visit and post them on OSM regularly.
If you use flash, there's a web-builtin editor called Potlach that's really good. If not, you use jOSM that's shipped with all major distributions and which is also very good (my favorite, even if Java</troll>).
The game changer here is that US cell phone companies have finally figured out that 4 layers of NAT isn't exactly a great way to manage a growing network, and are switching to IPv6 for their 4G networks. That is millions of customers right there, using IPv6 without even knowing about it.
Pieces are falling into place, it's just a matter of time now. And if you lobby your ISP instead of complaining about it, you may get it native too soon enough.
BTW: for those worried about the switch, let me just mention that both ipv6.google.com and www.kame.net (common test IPv6 addresses) are reachable in *less* latency and *less* hops than their ipv4 counterparts. IPv6 rocks.
part of my spec was to be able to access the data offline, as I care about my privacy...
I did the inventory of my 500+ book collection here and while it took a few days, the upkeep is minimal, and gcstar allows me to also keep track of people I lend the book to. The interface is awful, but it does connect to Amazon and so on to get book details, including cover pictures, if you have an ISBN. If you don't, then it's likely that Amazon doesn't carry it and you'll have to enter the details by hand anyways, but that's still fairly easy.
I do not label the books with stickers, RFID or bar codes of any kind. I simply rely on the book name for reference, and since I have very few duplicate books, this usually works. Duplicates can usually be told apart by printing dates or something similar. The library itself is physically arranged by loosely defined categories - I did *not* bother with Dewey.
I have written a complete article about this that may be useful to you. You may also want to contribute to that wiki page which compares different software offering.
Those guys are building a neat metal casing for the Hi-Tec-C ink cartridges: http://www.kickstarter.com/projects/205734763/pen-type-a-a-minimal-pen
They don't need root access, but in a way, you are giving them the right to run any code on your machine if you accept the updates coming in without review. As we have learned throughout the Microsoft Windows, Apple iTunes and others updates, the upstream can ship software that users sometimes disagree with and while it's not equivalent of giving them "root", it does mean that, once you accept the update, code you don't like will run on your computer.
There are of course alternatives: switching operating systems, refusing updates or removing the malicious software, all three which have been suggested elsewhere in the discussions here.
I beg to differ, and request that you explain what "begging the question" is, since I obviously seem to misunderstand it. On the site which I refer to, they define it as:
I definitely see a parallel in the above explanation and the reasoning behind the "we have root" argument.
Say the question is: "why should we trust Canonical or Ubuntu to have a peek at our personal search results?" The answer from Shuttleworth seems to be, "because we have root, it means you trust us". In other words, the response to the question of trust is trust, posed as a premise.
Also, the additional argument you are describing, we can summarize as "you can trust us with X because you trust us with X-1", which may be better presented as a slippery slope fallacy.
Then again, you are accusing me of misunderstanding logical fallacies, something at which I cannot respond to other than asking you to clarify how I misunderstand, or explain your accusation as a poorly articulated ad hominem attack, as opposed as demonstrating my argument as wrong.
Thank you for your comment and have a nice day.
I understand that point. The issue I see with it is that it is taken as an argument to justify what I consider to be a privacy issue. Saying "you should trust us with our data" needs a commitment, a show of *ethics* that actually makes us believe and understand they will be careful with it. Instead, we are presented with "well, you should trust us because... you already trust us, because we are root". It's a fallacy, more specifically begging the question.
I could also construe the whole intervention of Shuttleworth as an appeal to authority, but that would be pushing it a little since, as I said, the Benevolent Dictator doesn't even *need* to appeal to a higher authority. He is, in effect, your root and overlord, and is asserting his power without any shame or guilt. Whee. Also, to be fair, he is making a point that they should think about their responsibilities as admins of all those machines, I just happen to disagree with the path they are taking.
Apart from what's already been mentioned here, one bit particularly troubles me:
I don't equate having root with having people's data, personally. I happen to adhere to a Ethics Code (SAGE's) that *keeps* me from peeking over people's personal data, *especially* for my own interests. Adding a snitch that report back not only the machine's existence (you get that through APT automated updates) but also personal search requests to Canonical headquarters by default does seem like a major privacy breach.
That the dictator of Ubuntu and Canonical brushes his responsibilities aside like this is downright scary if you ask me, especially given the argument is "we have root, we 0wn you already, sorry bud".
Regular person? This is slashdot, there are no "regular persons" here.
Good article, quite interesting to see the problems a community is faced when going through standards processes.
That is a worrisome situation. With the internet openness being so much based on open standards, the idea that the corporate world is taking over standards and sabotaging them to fulfill their own selfish interests is quite problematic, to say the least.
As for the actual concerns he is raising about OAuth 2.0, this one is particularly striking:
I don't know much about oauth, but this sounds like a stupid move.
What's wrong with Scriptno? https://chrome.google.com/webstore/detail/oiigbmnaadbkfbmpbfijlflahbdbdgdf
Is it multi-user however?
I have been keeping an eye on this project for a while. To quote their description: "SFLvault is a Networked credentials store and authentication manager. It has a client/vault (server) architecture allowing to cryptographically store and organise loads of passwords for different machines and services."
The design seems sound, and it is a server/client model which seem to fit well your "multi-user" requirement, which isn't fulfilled by any other password manager that I know of. It can also automagically log you into different services like SSH, MySQL or sudo and can do multi-hop.
The only issue I have found so far is that installing the server component is a bit of a pain (ie. no Debian package, as opposed to the client side)... but i guess this really depends on the "Linux" environment you are using...
I have been maintaining a list of FLOSS password managers in our public wiki for a while, any suggestions not mentionned there are welcome.
I was also a bit surprised to see basic stuff and some repetition in the article there, but trick #3 was really nice for me:
ssh-keygen -R remote-hostname
This will remove the entry for remote-hostname in the known_hosts file, for example if you know the key changed or (don't do that) if you think you're in a MITM attack and don't care.
now that will fix many countless fiddling around the known_hosts file...