They must be unique IDs to work correctly. And they are supposed to be assigned as unique IDs, though I agree that does not always happen. But that's like claiming that your mailing address isn't a unique ID because someone on your block mislabeled their mailbox.
Welcome to Lyra. Please wait 15.4 minutes while I index your 68 GB of music. After that you'll be limited to playing your music randomly, in lexicographical order by file name, or you can create playlists manually using my 4-button interface.
Seriously, I appreciate the simplicity of just playing files, but it's disingenuous at best to pretend it isn't useful.
Most fires throughout history were just conspiracies undertaken by the masonry industry. For example, in 1906 they triggered and earthquake as a cover for their city-wide arson in San Francisco. It was expensive, but over the next 10 years their plot paid off 100-fold in increased masonry sales.
Now masonry companies are trying to prove that steal buildings aren't safe, and convince everyone to build with brick and stone. Unfortunately the government hijacked their conspiracy and used it to wage war. They may have to resort to blaming animals for their arson like they did in 1871 -- it's hard to say that a cow is a terrorist or that O'Leary is muslim.
Couldn't you solve that same problem by A) not putting/var/log on the same file system as other things you consider more important in the first place, rather than when a problem occurs, and B) leaving yourself some headroom on the disk when you set it up, so if you want to allocate a dedicated a few GB for/var/log you can do so without shrinking other file systems?
Re:Non-Tech Percent of Web Traffic from Chrome
on
Google Chrome, Day 2
·
· Score: 1
So because web ads have better metrics consumers have to follow different rules in looking at them? If billboards tracked eyeballs and outdoor advertising companies were paid based on views, would you feel obligated to look at each of them for 3 seconds as you drove by?
I'm under no obligation to make money for content providers. If I'd like content providers to continue providing, I may *want* to support them by viewing ads or subscribing or otherwise giving them money, but there is no obligation on my part to notice, read or even download ads.
Don't you feel guilty downloading ads you have no intention of clicking on? Webmasters are often paid based not only on view but also on clicks or even resulting purchases -- isn't it misleading to download and then ignore ads?
Re:Non-Tech Percent of Web Traffic from Chrome
on
Google Chrome, Day 2
·
· Score: 2, Insightful
If by "added value" you mean "makes pasting a new URL complicated and slow" I agree wholeheartedly.
Without trying to troll, I really am interested to know what you do that makes this "feature" useful -- I honestly cannot imagine a scenario where I'd want to open another window with the same web page in it. Even if there's some specific application you've got in mind, is the hassle of making cloning the default behavior worth the cost of not having to copy and paste the URL from the previous window from time to time?
Re:Non-Tech Percent of Web Traffic from Chrome
on
Google Chrome, Day 2
·
· Score: 1
A clone of the current window is more useful? Seriously? That's one of my top ten complaints about IE -- waiting an extra 4 seconds for it to render some page I already have open and don't want to see again.
I can see wanting to open a link in a new window/tab, but I seriously have trouble constructing a scenario where I'd want another copy of a web page I already have displayed. What's wrong with the existing copy?
"Can not be part of a username" is system-specific (and policy-specific) behavior. I don't allow hyphens, periods, underscores, or numbers in my usernames, and as such they are all valid delimiters.
Depending on the number of users you have, how abusive they are, and how closely you monitor username selection it's entirely plausible to use a delimiter that *is* allowed in usernames, so long as you don't assign usernames that allow abuse.
An ID is, by definition, public. There's no reason that it couldn't be used as a way to uniquely identify people -- it's a great way to avoid issues with non-unique names, name changes, typos, etc.
The problem is that credit is issued without authentication. Simply knowing my name and social security number should not be sufficient for you to have credit issued; requiring authentication as part of granting credit, and holding credit issuers liable when then fail to require that authentication, would eliminate this problem entirely whether or not we did anything to hide social security numbers.
Unless you want to serve more than one domain. Then you need a certificate and an IP address for each domain, which is not trivial when you get into even double-digit numbers of domains.
It's not safer from MitM. But it's a lot safer from passive sniffing. I don't care what the/. trolls tell you -- MitM is quite a bit harder to pull off than passive sniffing.
Absolutely. We should take care not to mislead people by telling them that sites with self-signed certificates are authenticated, but there's no reason to complain *more* for a self-signed cert than for no cert.
Mail client also do this for S/MIME messages, which drives me nuts. Plain old unsigned messages received via SMTP get no marking. Messages with a valid S/MIME signature against a CA the client doesn't recognized get red-flagged. It's ridiculous.
And as was noted above, it would be much more useful to have a "you've never been here before" and "the security at this site has changed" indicator -- then you can be protected against typo-squatting phishers and against the possibility of a "valid" certificate being issued to someone not entitled to use it.
But really the answer has to be teacher users that "security" isn't a yes/no proposition. You wouldn't buy a car based just on the rating in a trade magazine -- you would at least consider if that car meet your needs in terms of hauling capacity. Pretending that the only valid use for SSL is encryption with trusted-introducer-based one-way authentication is downright silly.
That being said, take an extra 4 seconds and setup your own CA rather than using self-signed certificates. Then you can distribute one certificate and make all your services trusted.
I would consider the COM interface and "VBA compatibility" limitations of Excel, not features. With gnumeric I can write in all sorts of languages -- where's the python interface for Excel?
I don't know what you do with Matlab -- are you really sending thing to Excel for processing, or are you just using it as a data store? And if it's the later what does the Excel interface buy you that you couldn't get with any of the DB interfaces?
Self-signed raise the level of complexity from "passive snooping at any point along the data path" to "active interception of traffic, either directly or via a secondary exploit".
Saying that self-signed certificates are worthless is like saying that a fence at a prison is worthless unless it's electric -- sure, the electric fence is better, and it provides additional security, but the plain old fence is a good place to start, and I don't think a lot of wardens would call it "worthless" just because it can be climbed.
That's not to say that users shouldn't be warned about the lower level of security, but it's a little disingenuous to pretend that a MitM attack is significantly more likely that say, someone getting a perfectly legitimate, CA-signed certificate for a typo-squatting site.
My big beef here is that unencrypted traffic produces no such warnings. If I didn't bother to provide a certificate for my website we'd be talking in the clear, and your browser wouldn't even mention it to you (other than maybe that one-time warning about sending data). Meanwhile if I offer a certificate from an authority you don't trust your browser will act as if I'm trying to steal from you rather than protect you. Email clients are just as bad -- regular email has no integrity guarantees, but S/MIME-signed messages are flagged as bad if the CA is untrusted, in spite of the relatively good security compared to messages with no signature.
The long and the short of it is security is more complicated than an on/off indication, and users will eventually have to deal with that if they want to be secure. I'm not suggesting grandma needs to know how SSL works, but if we replaced with lock with a multi-level system to indicate "plaintext", "signed", "signed and authenticated", "encrypted", "encrypted, signed, and authenticated" -- still a pretty small number of states, all of which could be described in a short hover tooltip -- users could make more informed decisions about the security in place and whether or not is is sufficient for the task at hand.
And there is (presumably) some upper limit for how long the SID will work. And there may be other actions that invalidate the SID sooner, such as logging in again. And there's essentially no possibility that the same SID will let you log into other sites.
First show me a data connection that has latency consistently under 250ms. Until then VoIP over cellular networks is a non-issue, and T-Mobile/AT&T/etc. couldn't care less what you do over WiFi, so long as you've bought a sufficiently expensive basic plan.
As long as you only care about internally initiated connections. I'll grant you that HTTP-only users would likely never care. But there are lots of reasons you might want to initiate a connection from outside your home other than pretending that a cable modem is a good place to run a mail server -- hosting a game server, adjusting your web-enabled thermostat, asking your PVR to send something to your laptop, VNCing to your mother's computer to help her with an email problem, etc. If your home doesn't have at least one public address, you just can't have those services; I don't know about you, but I think it would be a real shame to see the Internet turn into a world where only the big boys can host servers and end users can only access those servers via HTTP.
If you're worried about the client machine being compromised you can't trust passwords, certificates, one-time passwords, or anything else attached to or entered into the client system other than isolated computing environments in a challenge-response configuration (i.e. smartcards, etc.). If your authentication system uses any data that is ever stored in the client RAM, it is possible to obtain that data if the client system is compromised.
You might not consider a host certificate plus a user password sufficient authentication, but it is definitely two-factor by any reasonable definition, and a VPN system using a client certificate followed by a one-time password would be pretty secure from a bi-directional authentication, MiM standpoint -- even if you tricked a legitimate client into exposing their password you wouldn't be able to complete your own VPN connection without the private client certificate, nor would you have the user's password for services that don't require the certificate.
But Apple has set that price point with the restriction of "must be run on Apple-branded hardware". Who's to say the price wouldn't be $478 for a non-Apple-hardware license? Think of it as an "upgrade price" for people who already bought something else from the manufacturer.
Apple has chosen not to release a version of the OS without the hardware restriction, and I'm open to debate about whether or not they should, or whether or not the EULA is enforceable. But it's disingenuous to suggest that $129 is fair compensation just because there is some version of the software license available for that price, particularly when the retail price of Windows is more like $250.
I agree there's more energy in an 80 MPH crash than a 55 MPH crash, but honestly, if the 80 MPH crash was going to kill me, the 55 MPH crash probably would too. The range between "slightly injured" and "dead" is pretty slim, particularly when the speed differential exceeds ~40 MPH.
Slashdot Mirror
They must be unique IDs to work correctly. And they are supposed to be assigned as unique IDs, though I agree that does not always happen. But that's like claiming that your mailing address isn't a unique ID because someone on your block mislabeled their mailbox.
I'm seriously telling you that on a several network interfaces I've owned there is no unit-specific ID other than the MAC. Why would there need to be?
Welcome to Lyra. Please wait 15.4 minutes while I index your 68 GB of music. After that you'll be limited to playing your music randomly, in lexicographical order by file name, or you can create playlists manually using my 4-button interface.
Seriously, I appreciate the simplicity of just playing files, but it's disingenuous at best to pretend it isn't useful.
*crackle* - Ahhhh! Fire! The graphite flakes from your pencil shorted out the control panel!
We will still have the capability to launch people into space, we just won't have the will.
Most fires throughout history were just conspiracies undertaken by the masonry industry. For example, in 1906 they triggered and earthquake as a cover for their city-wide arson in San Francisco. It was expensive, but over the next 10 years their plot paid off 100-fold in increased masonry sales.
Now masonry companies are trying to prove that steal buildings aren't safe, and convince everyone to build with brick and stone. Unfortunately the government hijacked their conspiracy and used it to wage war. They may have to resort to blaming animals for their arson like they did in 1871 -- it's hard to say that a cow is a terrorist or that O'Leary is muslim.
It's collective -- it refers to a group of things like "flock" or "bunch". But it's not plural -- batteries is plural.
Couldn't you solve that same problem by A) not putting /var/log on the same file system as other things you consider more important in the first place, rather than when a problem occurs, and B) leaving yourself some headroom on the disk when you set it up, so if you want to allocate a dedicated a few GB for /var/log you can do so without shrinking other file systems?
Isn't "exactly" a subset of "like"?
So because web ads have better metrics consumers have to follow different rules in looking at them? If billboards tracked eyeballs and outdoor advertising companies were paid based on views, would you feel obligated to look at each of them for 3 seconds as you drove by?
I'm under no obligation to make money for content providers. If I'd like content providers to continue providing, I may *want* to support them by viewing ads or subscribing or otherwise giving them money, but there is no obligation on my part to notice, read or even download ads.
Don't you feel guilty downloading ads you have no intention of clicking on? Webmasters are often paid based not only on view but also on clicks or even resulting purchases -- isn't it misleading to download and then ignore ads?
If by "added value" you mean "makes pasting a new URL complicated and slow" I agree wholeheartedly.
Without trying to troll, I really am interested to know what you do that makes this "feature" useful -- I honestly cannot imagine a scenario where I'd want to open another window with the same web page in it. Even if there's some specific application you've got in mind, is the hassle of making cloning the default behavior worth the cost of not having to copy and paste the URL from the previous window from time to time?
A clone of the current window is more useful? Seriously? That's one of my top ten complaints about IE -- waiting an extra 4 seconds for it to render some page I already have open and don't want to see again.
I can see wanting to open a link in a new window/tab, but I seriously have trouble constructing a scenario where I'd want another copy of a web page I already have displayed. What's wrong with the existing copy?
"Can not be part of a username" is system-specific (and policy-specific) behavior. I don't allow hyphens, periods, underscores, or numbers in my usernames, and as such they are all valid delimiters.
Depending on the number of users you have, how abusive they are, and how closely you monitor username selection it's entirely plausible to use a delimiter that *is* allowed in usernames, so long as you don't assign usernames that allow abuse.
An ID is, by definition, public. There's no reason that it couldn't be used as a way to uniquely identify people -- it's a great way to avoid issues with non-unique names, name changes, typos, etc.
The problem is that credit is issued without authentication. Simply knowing my name and social security number should not be sufficient for you to have credit issued; requiring authentication as part of granting credit, and holding credit issuers liable when then fail to require that authentication, would eliminate this problem entirely whether or not we did anything to hide social security numbers.
Unless you want to serve more than one domain. Then you need a certificate and an IP address for each domain, which is not trivial when you get into even double-digit numbers of domains.
It's not safer from MitM. But it's a lot safer from passive sniffing. I don't care what the /. trolls tell you -- MitM is quite a bit harder to pull off than passive sniffing.
Absolutely. We should take care not to mislead people by telling them that sites with self-signed certificates are authenticated, but there's no reason to complain *more* for a self-signed cert than for no cert.
Mail client also do this for S/MIME messages, which drives me nuts. Plain old unsigned messages received via SMTP get no marking. Messages with a valid S/MIME signature against a CA the client doesn't recognized get red-flagged. It's ridiculous.
And as was noted above, it would be much more useful to have a "you've never been here before" and "the security at this site has changed" indicator -- then you can be protected against typo-squatting phishers and against the possibility of a "valid" certificate being issued to someone not entitled to use it.
But really the answer has to be teacher users that "security" isn't a yes/no proposition. You wouldn't buy a car based just on the rating in a trade magazine -- you would at least consider if that car meet your needs in terms of hauling capacity. Pretending that the only valid use for SSL is encryption with trusted-introducer-based one-way authentication is downright silly.
That being said, take an extra 4 seconds and setup your own CA rather than using self-signed certificates. Then you can distribute one certificate and make all your services trusted.
I would consider the COM interface and "VBA compatibility" limitations of Excel, not features. With gnumeric I can write in all sorts of languages -- where's the python interface for Excel?
I don't know what you do with Matlab -- are you really sending thing to Excel for processing, or are you just using it as a data store? And if it's the later what does the Excel interface buy you that you couldn't get with any of the DB interfaces?
Self-signed raise the level of complexity from "passive snooping at any point along the data path" to "active interception of traffic, either directly or via a secondary exploit".
Saying that self-signed certificates are worthless is like saying that a fence at a prison is worthless unless it's electric -- sure, the electric fence is better, and it provides additional security, but the plain old fence is a good place to start, and I don't think a lot of wardens would call it "worthless" just because it can be climbed.
That's not to say that users shouldn't be warned about the lower level of security, but it's a little disingenuous to pretend that a MitM attack is significantly more likely that say, someone getting a perfectly legitimate, CA-signed certificate for a typo-squatting site.
My big beef here is that unencrypted traffic produces no such warnings. If I didn't bother to provide a certificate for my website we'd be talking in the clear, and your browser wouldn't even mention it to you (other than maybe that one-time warning about sending data). Meanwhile if I offer a certificate from an authority you don't trust your browser will act as if I'm trying to steal from you rather than protect you. Email clients are just as bad -- regular email has no integrity guarantees, but S/MIME-signed messages are flagged as bad if the CA is untrusted, in spite of the relatively good security compared to messages with no signature.
The long and the short of it is security is more complicated than an on/off indication, and users will eventually have to deal with that if they want to be secure. I'm not suggesting grandma needs to know how SSL works, but if we replaced with lock with a multi-level system to indicate "plaintext", "signed", "signed and authenticated", "encrypted", "encrypted, signed, and authenticated" -- still a pretty small number of states, all of which could be described in a short hover tooltip -- users could make more informed decisions about the security in place and whether or not is is sufficient for the task at hand.
And there is (presumably) some upper limit for how long the SID will work. And there may be other actions that invalidate the SID sooner, such as logging in again. And there's essentially no possibility that the same SID will let you log into other sites.
First show me a data connection that has latency consistently under 250ms. Until then VoIP over cellular networks is a non-issue, and T-Mobile/AT&T/etc. couldn't care less what you do over WiFi, so long as you've bought a sufficiently expensive basic plan.
As long as you only care about internally initiated connections. I'll grant you that HTTP-only users would likely never care. But there are lots of reasons you might want to initiate a connection from outside your home other than pretending that a cable modem is a good place to run a mail server -- hosting a game server, adjusting your web-enabled thermostat, asking your PVR to send something to your laptop, VNCing to your mother's computer to help her with an email problem, etc. If your home doesn't have at least one public address, you just can't have those services; I don't know about you, but I think it would be a real shame to see the Internet turn into a world where only the big boys can host servers and end users can only access those servers via HTTP.
If you're worried about the client machine being compromised you can't trust passwords, certificates, one-time passwords, or anything else attached to or entered into the client system other than isolated computing environments in a challenge-response configuration (i.e. smartcards, etc.). If your authentication system uses any data that is ever stored in the client RAM, it is possible to obtain that data if the client system is compromised.
You might not consider a host certificate plus a user password sufficient authentication, but it is definitely two-factor by any reasonable definition, and a VPN system using a client certificate followed by a one-time password would be pretty secure from a bi-directional authentication, MiM standpoint -- even if you tricked a legitimate client into exposing their password you wouldn't be able to complete your own VPN connection without the private client certificate, nor would you have the user's password for services that don't require the certificate.
Apple are getting their $129 for every sale.
But Apple has set that price point with the restriction of "must be run on Apple-branded hardware". Who's to say the price wouldn't be $478 for a non-Apple-hardware license? Think of it as an "upgrade price" for people who already bought something else from the manufacturer.
Apple has chosen not to release a version of the OS without the hardware restriction, and I'm open to debate about whether or not they should, or whether or not the EULA is enforceable. But it's disingenuous to suggest that $129 is fair compensation just because there is some version of the software license available for that price, particularly when the retail price of Windows is more like $250.
I agree there's more energy in an 80 MPH crash than a 55 MPH crash, but honestly, if the 80 MPH crash was going to kill me, the 55 MPH crash probably would too. The range between "slightly injured" and "dead" is pretty slim, particularly when the speed differential exceeds ~40 MPH.