Actually, all that will happen is that the US has built exactly what they've been decrying about the Chinese Internet for so long - only the US will be blocked from accessing those sites and they'll carry on being hosted in foreign countries just as before. It's a "Great Firewall of US" instead, that's all. And the feature creep from piracy to other undesirable things is *exactly* what the Chinese do to block sites that disagree with their regime (up to and including Google for mentioning democracy, for example). And who manages those lists? And how hard would it be to put Wikileaks on it, or any site that discloses "secret" details of Guantanamo Bay etc.?
You still won't be able to shut down anything operating outside the US (hosting, domains, or internet access) and it will still carry on regardless, just that the US won't easily "see" it. It's an all-ways-lose for the US, really, trying to box its citizens off from the real world like China does.
The US "pirates" won't suffer (they'll just download from somewhere else, or find a way to join the same downloads bypassing the filters, or buy a VPN in China with Bitcoins), the non-US "pirates" won't suffer at all, the "pirate" sites will lose a few users but also a whole lot of hassle (if the US people can't see the sites like AllOfMP3 that worked by having Russian music-industry licenses anyway, then what's to sue over?) and also still can't be brought to stand in court in the US unless something very serious has been done and they are extradited, and the music/movie industries get the law they've always wanted (and still there'll be no change to overall piracy levels).
The burden of complying will push content providers out of the US (because now they HAVE to filter everything and Google already fled China once because of the cost of that) and that would include everything from international ad networks to search engines to payment methods (you think Paypal.com would be affected if Paypal's EU bank was doing business with SOPA "offenders"? They'd either partition the company, or just stop trading in one or the other, both options of which hurt the business and customer).
And eventually, someone will realise that they can't go onto site X because it's been added to the list and has nothing to do with piracy (e.g. like the Australian filter list did, where perfectly innocent businesses were filtered for no reason), and that the movie/music industry are STILL claiming the same levels of piracy (so the law did nothing) - like they are in New Zealand at the moment - and that they have similar human rights as regards accessing an Internet as the Chinese do. And then it'll make the news one day, get blown out of all proportion, get thoroughly revoked and never mentioned again and people will carry on their lives.
I'll say it again - the US is one of the least "free" places I've ever been to.
If the value of your business is contained entirely within your source code and/or address book, you have problems.
That's not to say that every business keeps that information secret, or that they all tell it to everyone, but your client list is NOTHING compared to offering your clients a service that they will pay for. If someone can ring up your client and get them to change to their company instead, obviously you weren't doing a very good job with that client.
Similarly, there are lots of workplaces (millions!) that make use of Open Source software. If the value of their company is in that O/S software, they have serious problems. However, if they *use* it and add value elsewhere, it's not a problem at all.
Your missing step 3 is "Fail at retaining customers", and Steps 1 & 2 are irrelevant and unnecessary.
I tried it. I had to skip the introduction. I got through to the second chapter before the repetition and tedium got to me. Ruined setups like "X reached for the Y without using the tongs", immediately followed by Z telling them off for not using the tongs really destroyed the flow of the text for me and I couldn't bear it.
While it wasn't slow, the focus was on the mundanities rather than the plot, and it seemed to crawl by - the characters were pretty lifeless and spoke only in children's-book sentences of everyday things. People being driven from their daughters house by soldiers as it's demolished is an extreme and powerful image but it didn't come across as that.
I skipped through a few pages after that and it didn't seem to improve. Every chapter seemed to have to end with some sort of dramatic statement that failed to deliver.
Honestly... it needs work. I'm sure loads of people will get it from Amazon or download it but it's really in dire need of some editing (and even in some places, that random flicks through it found, typesetting) and more spark.
I don't claim to be an editor, proofreader, author or publisher myself, but it was lacklustre, even if there probably was a good story hidden away there somewhere.
Except, here Amazon is acting more like a publisher of its own (given that its the one that promotes, sells and distributes your books for you). In that case, there are *plenty* of publishers who have such restrictions on their authors, which is why big-name authors can't chop-and-change between publishers at will, are often "forced" by their contracts to write X amount of books a decade, etc.
Amazon isn't just a library. It used to be. Now it's branched out into everything from gardening tools to publishing and hardware creation to groceries. If you agree to this offer, they are effectively your publisher, and exclusive publisher agreements are far from unheard of.
First packet, with query, sends a list of the accepted formats.
DNS server replies with answer, encrypted in one of them, and the name of the format it replied in, or an error because it didn't know any suitable ones.
No "round trips" above and beyond a normal DNS request except where the two don't want to talk the same language anyway.
- It's the equivalent of every DNS server letting you wrap your queries inside SSL. Nothing really special of clever, and requires the co-operation of all your upstream DNS servers.
- It uses elliptic curve rather than some pluggable system to negotiate an encryption method. EC *hasn't* had anywhere near the deployment hours that conventional PKE has had. It's still, to me, a "unknown" in terms of how breakable it is compared to anything else. No doubt effort is put into it but PKE has decades of attacks in its favour and still holds. Why couldn't the encryption just be negotiable?
- The extra burden - hell, DNS responses can hang computers up as it is if upstream servers are slow. God knows what converting every one of their requests to use ECC would do to servers and clients.
That said, in principle, it's something I'd deploy. If it wasn't barely tested, using EC (and having that be non-negotiable) and having hardly any upstream providers support it.
But it's the equivalent of just SSH'ing into a machine that does your DNS lookups for you, really, just that that machine happens to be your upstream resolver. That then has to communicate to either a DNSCurve server again for the actual lookup (and that server to another, and that to another, etc. etc.) or talk to uncertified nameservers in plaintext as usual anyway.
Personally, I have bigger problems than someone with packet-level access to my traffic potentially seeing what DNS records I lookup.
Re:CA System - Has Never Worked As Intended.
on
Another Dutch CA Hacked
·
· Score: 4, Insightful
Personally, I now have more faith in the CA system than before.
When a rogue CA was spotted, within days it had was revoked AND ALL ITS CERTIFICATES FAILED, including ones running in government departments, in every major web browser (totally independently).
That's a pretty damn good response, and caused the collapse of the company and a government investigation - because browsers that have NOTHING to do with the CA's or the government unilaterally revoked a CA certificate in their browsers.
The point of the CA system is trust. At some point you have to trust someone. Web of trust is just trusting the majority of public opinion, statistics or some other automated metric. The CA system is trusting particular institutions and browser makers (who, if you don't trust anyway, you wouldn't be doing business with or using their product).
One CA abused that trust and they disappeared from the web overnight. But I still trust my CA. It's like saying that because one hosting company had a website vandal, everyone should just stop using website hosts.
And now it's in the news, every tiny little breach is going to come to light whereas before, unless you followed the OSCP revocations religiously, you'd never have known.
The CA system did exactly what it was designed to do and it worked much better than I would have ever expected. I don't see the Dutch CA failing as a failure of the system - the system worked and continues to work. It's like the Internet - it just routes around damage and carries on (by revoking the trust - which you can do yourself in any browser - in those who are untrustworthy).
Ignoring that - they had internal documents that were accessible from their web/database server. Everything else defies belief too but really wouldn't have mattered that much if it had been ONLY their web db that was accessed.
I'm going to assume a lot of "perfect" hardware here but:
Total travel for your average keyboard: 4mm = 0.004m Total force needed to activate: 0.8N (scrimmed from a paper on ergonomics of keyboards)
Work required = 0.0032Nm
Average typist = 30 words per minute = 180 characters per minute = 3 characters per second. So you would tap a key to its full extent every 1/3rd of a second.
Power required to type = 0.010666666666667 watt = 10mW at instantaneous intervals. Hardly enough to power a small USB signal, let alone a transmitting Bluetooth chip, and that's not including things like storage of power when you're not typing, efficiencies, etc.
And NONE of that is useful energy - you'd have to make the keys take twice as much extra effort to type (and thus also incur more RSI-related problems) just to generate that 10mW in excess. The hardware required to make an over-100-keys keyboard generate any useful energy from every key would be, at it's simplest, some sort of sprung base that was activated for every keypress below the "base" level where the keys "hit bottom". You'd have a travel of 4mm at most there, and from those 3 presses a second you'd have to generate electricity somehow.
The closest thing I've seen are quantum tunnelling composites and piezoelectrics that require a lot more force, or generate too little electricity, to do anything useful and I don't think you *can* get them as flat sheets the size of a keyboard (though you might be able to arrange some sort of whole keyboard -> small pressurised area).
I just don't think the engineering required would ever reasonably be worth it, it would be more fragile, have many more moving parts, be harder to type on (at risk of inducing RSI), would probably move more under your fingers, and still require internal batteries / capacitors to cope over even brief non-typing periods.
Picture the alternative where we live in a world where people arrive at adulthood and have no concept of war (from movies, games or other media) but, inevitably, it still occurs in the world. 10,000,000 dead is now just a number to them. They can't fight when they are called up because they have no concept of what will happen to them and are too shocked when it does. They don't understand why the Nazis were so bad because "they only killed X amount of people".
It's already happening today. A single soldier killed in Afghanistan can make front-page news, but people have no concept of how many died in the world wars, or how many are dying in Afghanistan that those soldiers were trying to protect.
That's just as bad, and extreme, an alternative as a world where we teach them that "atrocities are fun" and, as with everything, a middle-ground is required. That middle ground would not involve pretending these things don't exist OR encouraging players to commit virtual atrocities (which I've NEVER seen a game do).
When I went to a former-concentration camp in Germany, there was an uncensored video playing of bodies being thrown and pushed by tractor into a pit. Thousands of limp, lifeless bodies being manhandled like someone creating a landfill. It's probably the most scary and horrible thing I've ever seen (and never once has a major motion picture or video game disturbed me or made me wince). And it was playing, quite openly, in the place that they take school trips through. *That's* education, and that's more important than anything.
As soon as you start pretending to people that these things don't exist, that's when you start making them live in dreamworlds that will distance them from reality, make them lack understanding and inevitably shatter one day. You don't need to shove war crimes down their throats (I don't know of any video game that lets you imprison and torture foreign "combatants", without charge, totally against things like the Geneva Convention for decades and get away with it), but equally you should never pretend they don't happen.
Re:OK, here is my myth submission to Mythbusters
on
MythBusters Bust House
·
· Score: 4, Funny
Be careful.
First they'll build a scale model 6" high and do some "math". Then they'l knock up a 6-foot section of a life size wall and call it plausible. They'll they "upscale" things and end up building a wall around the equator and blowing it up.
As an Opera user, I can safely say that I hear "With firefox, there's an extension for that..." about just about everything that Opera has built-in and yet Opera doesn't get in my way or require me to install untrusted random junk to do it.
Enjoy a decent browser. Personally, I think it's one of the best ever mail clients too.
I just navigated there, clicked on the sliding fancy menus, clicked on a video, played it, etc. and couldn't see anything that "didn't" work.
Nor could I spot anything wrong before I installed this version of Opera this morning, and have been using Youtube with Opera for years. I don't even do anything like user-agent faking any more (haven't needed that for years now).
Being the default browser of dozens of smartphones, selling themselves on the Wii console, etc.?
Opera make more than enough to keep themselves going, even if you can't "see" it. Hell, their entire Opera Link & Opera Turbo facilities must cost a bomb to run as it is. They'd have gone under long ago if they weren't making money.
I think you have a very blinkered, and quite probably completely false, opinion based on a single example/incident. The chances of someone in IT *bothering* to monitor your credit card like that are virtually zero anyway (that's what SSL is for, you know) and I've known dozens of people who SWEAR there's no way anyone could have got their info that have been charged fraudulently. Anyone with brain enough to intercept your card number in any way (whether by scraping it en-route via an intermediate SSL certificate, or giving history from your computer) wouldn't be stupid enough to put monthly recurring charges on it, or in such a way that your first suspicion is them.
In general, I think IT is one of the most reputable of all the self-governed industries out there. Stories of rogue admins make the news, for heaven's sake, whereas stories of rogue police officers, nurses, etc. looking up people's data are too common to even be news any more. It's hardly ever the admin themselves (and the only example that comes to mind is the guy who held a city IT department to ransom by changing all the switch and server passwords as protest against new IT arrangements - hardly a genius).
And outsourcing doesn't save you. Your credit card is actually more likely to be scammed - for a start, the reason most companies outsource is because the average wage in those places is significantly less than here and they probably care *more* about your porn browsing habits because in a lot of religious countries in the world it's completely illegal. They would have no incentive, morally, to protect you if you're into something that in their country/religion is completely abhorrent.
I have never known an IT admin (of any rank) do anything illicit with the information at their disposal. Since leaving uni I have controlled the IT for schools *exclusively* while I worked for them - and had full admin access on servers containing everything from payroll to contracts to letters (including resignation letters, disciplinary details etc.). Hell, even instant messaging logs between the head and their deputies. I know this data is there because I see the filenames zip past on backups and I'm occasionally asked to retrieve files from old archives.
It's not at all unusual to have children in schools who are part of witness protection programs, subject to child protection investigations (i.e. dad's beating them up or worse), etc. and the school *MUST* have stored documentation on that, kept for X amount of years, and nowadays that means electronic files.
I take my job extremely seriously and I've never even looked, wouldn't contemplate looking, and actually am surprised at just how much access can be obtained just by being seen as "skilled" in IT. Schools have repeatedly given me their top-level domain administrator passwords in the past, even their backup encryption passwords (those few that have them!), etc. and it's almost too easy to obtain complete permissions to an SQL Server backing any of their school management software. That's not an IT problem as such because they didn't HAVE IT guys (which is why I was brought in) but the IT guys I would hand off to upon leaving, I was trusting with that same class of information.
Hell, I refused to give passwords to a deputy headteacher (about three levels above my boss) once because he wanted to use them for himself and I FORCED him to get the data from the head (principal?) directly. He chased me for weeks after I'd left to get that password, and I never knew if he did get it because only myself and the head (his boss) had it at that point, for handover purposes, and I was leaving/left but he sure as hell didn't get it from me.
And I'm not exactly "in the system" - I was a self-employed, employed-on-word-of-mouth, IT guy not long out of uni, making a living by terminating the school's contract with their borough's IT department (who were universally worthless) and taking over their IT for a year to bring it up to spec so they could handover to *any* IT guy. U
The UK Post Office delivers to every mainland UK address every single day, and post is delivered "to the door" (i.e. nobody has a "mailbox" at the end of the drive - you have to walk up every drive and physically put it through each front door and then walk back to the street).
A first-class item will get anywhere (if you post it before the closing of whatever post box you choose, usually 5pm) next day, guaranteed, and they will deliver over 600 miles away on a first-class stamp (currently 46p). Franked mail is even cheaper/quicker.
The delivery of the item is the cheap part, it's the handling, speed and mass-transit in the middle that's expensive (petrol / aviation fuel). By comparison hiring a guy to pedal a bike (literally, they give our posties rusty old push-bikes) and deliver to a couple of hundred addresses is nothing.
Same with protests over fuel. In the UK, the government try to raise road taxes, introduce tolls, car-share lanes, congestion charging, parking fees etc. when the only thing that matters is pence per litre. Raise that, and blanket the roads in "no parking", "no gas-guzzlers" signs that are ENFORCED and the hardest-users are hit worse (including those who use higher grades of fuel, drive more, have huge cars, make unnecessary journeys etc.)
I'd much rather pay PAYG extra fuel and not have to keep digging out change/cards, fill in forms, etc. and get a shock at having to pay some things once a year, some every time I fill up, some when I use only a certain road, etc. for the use of the roads.
The only problem with usage-based billing is making sure that the measures are accurate, account for all usage (i.e. not point just metering download if someone else can upload ten times as much and pay less) and work out to the same rates for normal-usage users.
I pay about £10 a month for a basic (lowest package) 30Gb allowance. To me, that means I pay £0.33p per Gb. That seems not unreasonable, given local ISP prices. But if you try to charge me more than that per Gb then we're obviously going to have contention. And if I *do* want to use 100Gb one month, it had better be available because *I'm paying for it*. And if I use 1Gb, you better not charge me more than £0.33p (plus a small monthly fee, I bet!).
You can have it any way you like, PAYG, contract, etc. but the point is that if you bill me by usage, I *will* use what I want, when I want and pay ONLY what I feel is fair under those circumstances. When some telcos are still charging pounds per MEGABYTE for mobile data (and not "Oh, you went over 30Mb, so we limited the speed of your mobile data" like they do with broadband) it seems only right that this "fair" mechanism comes to broadband and is adjusted to meet TODAY'S standards as well as tomorrow's (i.e. don't charge me more than I'm paying now for the same usage).
I don't think they can't (if they really needed to) - I think it's one of their excuses for further funding and to blanket-control everything that enters or leaves the UK electronically:
But they have used it as one of the reasons that they need "more power" because they "can't even listen in on Skype". At that point, you have to wonder if they are worth having at all, not give them sympathy, funds and have them employ people at civil-service-wages.
They've been advertising on plain Facebook ads for months, if not years.
Strange that highly qualified computing/maths graduates don't want to snoop on foreign governments (and their own people) when their potential employers are publishing news stories that they can't even intercept Skype calls, are offering zero information on exactly what you're expected to do and how much you'll be paid for it (which is pretty pitiful when they do tell you), etc.
I'm a maths & computing graduate, with a love and special interest for cryptography. I've seen dozens of adverts by both GCHQ and even MI5 for similar positions in papers, online and everywhere you'd normally advertise jobs over the years. They're obviously desperate for recruits (and seeing the dross that passes for university degrees these days, I'm not shocked).
But they don't give you even basic information and the only time GCHQ hits the news is when they want more and more control over your communications despite being less and less relevant since public-key encryption started to become the norm (ironically killed, pretty much, by their own invention).
I think it would be against my principles to actually WORK for them, even if I admire their historical efforts, support the cause to save Bletchley Park, think Turing deserves a little more recognition and respect for his work etc. Nowadays, I just get the impression that GCHQ want to blanket-snoop on my own people for no reason, catch the low-hanging fruit of people too stupid to use encryption (despite the fact that there's not a single recorded instance of someone "breaking" PKE encryption and using the results in a court case, even for terrorism where we've had to let people go or imprison them because we *THINK* they might have something incriminating in the encrypted data), and/or "justify" their existence / funding by creating the occasional terrorist scare story.
I don't think the bulk of the brains want to work for them because of what they've creeped into, it's as simple as that.
Never heard of misinformation? And it would also show just what the candidate is capable of (i.e. keeping up one identity which is false, which may be useful to someone intercepting communications).
And if foreign governments can NAME our cryptographers, I'd be more worried about that in itself, rather than anything else they could find out about them.
Or just have proper isolation and not ***execute*** random code at all.
The problem with Windows is not necessarily programmers, it's the design and the expectations of its users. For some reason, if your email client doesn't automatically execute and display that Powerpoint presentation without warnings, people get annoyed. If the Flash/Java sections of a website aren't seamlessly executed as they load people think things are broken. If the executable they download isn't immediately installable, they question it. If their Word macros don't run when they open the documents, they complain.
The "saviour" of other OS is really the culture (because we're not immune to the same things happening on Linux, etc. you know?) - You *can't* execute code without the execute bit set, and users of the system know WHY that is, and they are careful about what they apply the execute bit to (and we don't put up messages that say "Hey, this isn't executable, shall I do it for you?").
Is there an equivalent concept of "non-executable" on Windows that's usable in an everyday environment for random users? Not really. The nearest you get is Software Restriction policies, but they are a nightmare to manage and nobody uses them (and even then it's still possible to execute random code from the Internet if you just pipe it through a trusted program, e.g. a Word macro).
If you use a decent browser with the correct security, Flash/Java apps appear as nothing more than a play button that *YOU* decide to click and ZERO code is executed from that app until you do (and you'd be amazed how many play buttons I see each day just browsing ordinary websites that I *NEVER* click on because I stop noticing they are there unless I've gone to something that I understand NEEDS to execute a Java app for whatever reason).
Why a web browser NEEDS to run executable code to do its job, I'll never understand - it's nothing more than a renderer, like Ghostscript, except you don't see Ghostscript executing in-built shell commands or machine code in the Postscript its trying to render (though even that's had its fair share of problems, they are NOTHING compared to a browser flaw). Does Internet Explorer even have options to let you selectively load Flash/Java? No (and even on Firefox, it's an additional plugin). Opera has it available by default, though.
Hell, Intel, nVidia, Windows Update etc. encourage you to run an ActiveX or Java app so they can "detect your hardware" to choose the best drivers - does that not throw warning bells to people about how much access it would have to the system if you allowed it? And because it's the largest companies (and even the suppliers of the damn OS) that encourage it, people think that's okay.
The problem of viruses is NOT computer related, it's entirely user-related. Not updating software, not running AV (though I'm against the whole idea of AV, personally, when managing your computer properly works so much better), not clicking Yes, inserting untested storage devices, having Autorun enabled, not having the most basic firewall, etc. The holes that are there are there because of the design / choices / implementation of the OS manufacturer, sure, but they get exploited because of the choices of the user.
The systems that OS vendors have deployed against viruses include anti-virus (the biggest scam of our time, as far as I'm concerned), forcing Autorun off after 10 years of OS deployment, running browsers in separate processes to explorer windows and other ridiculous half-measures.
At no point is there a mention of complete isolation (as in a chroot-style environment - why does a browser EVER need to write to anything other than a single downloads directly that the OS won't let you run programs directly from it?), or of just not executing this crap by default. How many programs actually assign Windows ACL permissions to their folders, for example? Hell, historically WMF's were nothing more than a list of GDI-executed
Seriously, fire on board something like that would be about the scariest thing to deal with. With loss of air or something, you don't have time to panic but if the fires are burning at 100th their normal rate but are large enough to be pretty much unextinguishable, you've got a lot of fighting to do before you eventually end up burning.
It'll get into every possible escape route and keep following you, it'll slowly suck up all fuel everywhere (can't just "move stuff away" if the *fire* is floating about), it'll be unpredictable and hard to tell when it's gone out, and it'll get into everything. And you're in a confined tin that you're relying on staying all in one piece to get back home at any point.
The question is: why haven't we researched this more already?
Actually, all that will happen is that the US has built exactly what they've been decrying about the Chinese Internet for so long - only the US will be blocked from accessing those sites and they'll carry on being hosted in foreign countries just as before. It's a "Great Firewall of US" instead, that's all. And the feature creep from piracy to other undesirable things is *exactly* what the Chinese do to block sites that disagree with their regime (up to and including Google for mentioning democracy, for example). And who manages those lists? And how hard would it be to put Wikileaks on it, or any site that discloses "secret" details of Guantanamo Bay etc.?
You still won't be able to shut down anything operating outside the US (hosting, domains, or internet access) and it will still carry on regardless, just that the US won't easily "see" it. It's an all-ways-lose for the US, really, trying to box its citizens off from the real world like China does.
The US "pirates" won't suffer (they'll just download from somewhere else, or find a way to join the same downloads bypassing the filters, or buy a VPN in China with Bitcoins), the non-US "pirates" won't suffer at all, the "pirate" sites will lose a few users but also a whole lot of hassle (if the US people can't see the sites like AllOfMP3 that worked by having Russian music-industry licenses anyway, then what's to sue over?) and also still can't be brought to stand in court in the US unless something very serious has been done and they are extradited, and the music/movie industries get the law they've always wanted (and still there'll be no change to overall piracy levels).
The burden of complying will push content providers out of the US (because now they HAVE to filter everything and Google already fled China once because of the cost of that) and that would include everything from international ad networks to search engines to payment methods (you think Paypal.com would be affected if Paypal's EU bank was doing business with SOPA "offenders"? They'd either partition the company, or just stop trading in one or the other, both options of which hurt the business and customer).
And eventually, someone will realise that they can't go onto site X because it's been added to the list and has nothing to do with piracy (e.g. like the Australian filter list did, where perfectly innocent businesses were filtered for no reason), and that the movie/music industry are STILL claiming the same levels of piracy (so the law did nothing) - like they are in New Zealand at the moment - and that they have similar human rights as regards accessing an Internet as the Chinese do. And then it'll make the news one day, get blown out of all proportion, get thoroughly revoked and never mentioned again and people will carry on their lives.
I'll say it again - the US is one of the least "free" places I've ever been to.
If the value of your business is contained entirely within your source code and/or address book, you have problems.
That's not to say that every business keeps that information secret, or that they all tell it to everyone, but your client list is NOTHING compared to offering your clients a service that they will pay for. If someone can ring up your client and get them to change to their company instead, obviously you weren't doing a very good job with that client.
Similarly, there are lots of workplaces (millions!) that make use of Open Source software. If the value of their company is in that O/S software, they have serious problems. However, if they *use* it and add value elsewhere, it's not a problem at all.
Your missing step 3 is "Fail at retaining customers", and Steps 1 & 2 are irrelevant and unnecessary.
I tried it. I had to skip the introduction. I got through to the second chapter before the repetition and tedium got to me. Ruined setups like "X reached for the Y without using the tongs", immediately followed by Z telling them off for not using the tongs really destroyed the flow of the text for me and I couldn't bear it.
While it wasn't slow, the focus was on the mundanities rather than the plot, and it seemed to crawl by - the characters were pretty lifeless and spoke only in children's-book sentences of everyday things. People being driven from their daughters house by soldiers as it's demolished is an extreme and powerful image but it didn't come across as that.
I skipped through a few pages after that and it didn't seem to improve. Every chapter seemed to have to end with some sort of dramatic statement that failed to deliver.
Honestly... it needs work. I'm sure loads of people will get it from Amazon or download it but it's really in dire need of some editing (and even in some places, that random flicks through it found, typesetting) and more spark.
I don't claim to be an editor, proofreader, author or publisher myself, but it was lacklustre, even if there probably was a good story hidden away there somewhere.
Except, here Amazon is acting more like a publisher of its own (given that its the one that promotes, sells and distributes your books for you). In that case, there are *plenty* of publishers who have such restrictions on their authors, which is why big-name authors can't chop-and-change between publishers at will, are often "forced" by their contracts to write X amount of books a decade, etc.
Amazon isn't just a library. It used to be. Now it's branched out into everything from gardening tools to publishing and hardware creation to groceries. If you agree to this offer, they are effectively your publisher, and exclusive publisher agreements are far from unheard of.
But you missed "should by" instead of "should be".
Update? That's what CRL's are for, as you point out.
Opera was never "updated" to remove the Diginotar cert, for instance.
First packet, with query, sends a list of the accepted formats.
DNS server replies with answer, encrypted in one of them, and the name of the format it replied in, or an error because it didn't know any suitable ones.
No "round trips" above and beyond a normal DNS request except where the two don't want to talk the same language anyway.
It's a good idea but:
- It's the equivalent of every DNS server letting you wrap your queries inside SSL. Nothing really special of clever, and requires the co-operation of all your upstream DNS servers.
- It uses elliptic curve rather than some pluggable system to negotiate an encryption method. EC *hasn't* had anywhere near the deployment hours that conventional PKE has had. It's still, to me, a "unknown" in terms of how breakable it is compared to anything else. No doubt effort is put into it but PKE has decades of attacks in its favour and still holds. Why couldn't the encryption just be negotiable?
- The extra burden - hell, DNS responses can hang computers up as it is if upstream servers are slow. God knows what converting every one of their requests to use ECC would do to servers and clients.
That said, in principle, it's something I'd deploy. If it wasn't barely tested, using EC (and having that be non-negotiable) and having hardly any upstream providers support it.
But it's the equivalent of just SSH'ing into a machine that does your DNS lookups for you, really, just that that machine happens to be your upstream resolver. That then has to communicate to either a DNSCurve server again for the actual lookup (and that server to another, and that to another, etc. etc.) or talk to uncertified nameservers in plaintext as usual anyway.
Personally, I have bigger problems than someone with packet-level access to my traffic potentially seeing what DNS records I lookup.
Personally, I now have more faith in the CA system than before.
When a rogue CA was spotted, within days it had was revoked AND ALL ITS CERTIFICATES FAILED, including ones running in government departments, in every major web browser (totally independently).
That's a pretty damn good response, and caused the collapse of the company and a government investigation - because browsers that have NOTHING to do with the CA's or the government unilaterally revoked a CA certificate in their browsers.
The point of the CA system is trust. At some point you have to trust someone. Web of trust is just trusting the majority of public opinion, statistics or some other automated metric. The CA system is trusting particular institutions and browser makers (who, if you don't trust anyway, you wouldn't be doing business with or using their product).
One CA abused that trust and they disappeared from the web overnight. But I still trust my CA. It's like saying that because one hosting company had a website vandal, everyone should just stop using website hosts.
And now it's in the news, every tiny little breach is going to come to light whereas before, unless you followed the OSCP revocations religiously, you'd never have known.
The CA system did exactly what it was designed to do and it worked much better than I would have ever expected. I don't see the Dutch CA failing as a failure of the system - the system worked and continues to work. It's like the Internet - it just routes around damage and carries on (by revoking the trust - which you can do yourself in any browser - in those who are untrustworthy).
Ignoring that - they had internal documents that were accessible from their web/database server. Everything else defies belief too but really wouldn't have mattered that much if it had been ONLY their web db that was accessed.
I'm going to assume a lot of "perfect" hardware here but:
Total travel for your average keyboard: 4mm = 0.004m
Total force needed to activate: 0.8N (scrimmed from a paper on ergonomics of keyboards)
Work required = 0.0032Nm
Average typist = 30 words per minute = 180 characters per minute = 3 characters per second. So you would tap a key to its full extent every 1/3rd of a second.
Power required to type = 0.010666666666667 watt = 10mW at instantaneous intervals. Hardly enough to power a small USB signal, let alone a transmitting Bluetooth chip, and that's not including things like storage of power when you're not typing, efficiencies, etc.
And NONE of that is useful energy - you'd have to make the keys take twice as much extra effort to type (and thus also incur more RSI-related problems) just to generate that 10mW in excess. The hardware required to make an over-100-keys keyboard generate any useful energy from every key would be, at it's simplest, some sort of sprung base that was activated for every keypress below the "base" level where the keys "hit bottom". You'd have a travel of 4mm at most there, and from those 3 presses a second you'd have to generate electricity somehow.
The closest thing I've seen are quantum tunnelling composites and piezoelectrics that require a lot more force, or generate too little electricity, to do anything useful and I don't think you *can* get them as flat sheets the size of a keyboard (though you might be able to arrange some sort of whole keyboard -> small pressurised area).
I just don't think the engineering required would ever reasonably be worth it, it would be more fragile, have many more moving parts, be harder to type on (at risk of inducing RSI), would probably move more under your fingers, and still require internal batteries / capacitors to cope over even brief non-typing periods.
In a single line: Just not worth it.
Which is probably why they don't exist.
Picture the alternative where we live in a world where people arrive at adulthood and have no concept of war (from movies, games or other media) but, inevitably, it still occurs in the world. 10,000,000 dead is now just a number to them. They can't fight when they are called up because they have no concept of what will happen to them and are too shocked when it does. They don't understand why the Nazis were so bad because "they only killed X amount of people".
It's already happening today. A single soldier killed in Afghanistan can make front-page news, but people have no concept of how many died in the world wars, or how many are dying in Afghanistan that those soldiers were trying to protect.
That's just as bad, and extreme, an alternative as a world where we teach them that "atrocities are fun" and, as with everything, a middle-ground is required. That middle ground would not involve pretending these things don't exist OR encouraging players to commit virtual atrocities (which I've NEVER seen a game do).
When I went to a former-concentration camp in Germany, there was an uncensored video playing of bodies being thrown and pushed by tractor into a pit. Thousands of limp, lifeless bodies being manhandled like someone creating a landfill. It's probably the most scary and horrible thing I've ever seen (and never once has a major motion picture or video game disturbed me or made me wince). And it was playing, quite openly, in the place that they take school trips through. *That's* education, and that's more important than anything.
As soon as you start pretending to people that these things don't exist, that's when you start making them live in dreamworlds that will distance them from reality, make them lack understanding and inevitably shatter one day. You don't need to shove war crimes down their throats (I don't know of any video game that lets you imprison and torture foreign "combatants", without charge, totally against things like the Geneva Convention for decades and get away with it), but equally you should never pretend they don't happen.
Be careful.
First they'll build a scale model 6" high and do some "math". Then they'l knock up a 6-foot section of a life size wall and call it plausible. They'll they "upscale" things and end up building a wall around the equator and blowing it up.
As an Opera user, I can safely say that I hear "With firefox, there's an extension for that..." about just about everything that Opera has built-in and yet Opera doesn't get in my way or require me to install untrusted random junk to do it.
Enjoy a decent browser. Personally, I think it's one of the best ever mail clients too.
Please define "doesn't work".
I just navigated there, clicked on the sliding fancy menus, clicked on a video, played it, etc. and couldn't see anything that "didn't" work.
Nor could I spot anything wrong before I installed this version of Opera this morning, and have been using Youtube with Opera for years. I don't even do anything like user-agent faking any more (haven't needed that for years now).
Being the default browser of dozens of smartphones, selling themselves on the Wii console, etc.?
Opera make more than enough to keep themselves going, even if you can't "see" it. Hell, their entire Opera Link & Opera Turbo facilities must cost a bomb to run as it is. They'd have gone under long ago if they weren't making money.
I think you have a very blinkered, and quite probably completely false, opinion based on a single example/incident. The chances of someone in IT *bothering* to monitor your credit card like that are virtually zero anyway (that's what SSL is for, you know) and I've known dozens of people who SWEAR there's no way anyone could have got their info that have been charged fraudulently. Anyone with brain enough to intercept your card number in any way (whether by scraping it en-route via an intermediate SSL certificate, or giving history from your computer) wouldn't be stupid enough to put monthly recurring charges on it, or in such a way that your first suspicion is them.
In general, I think IT is one of the most reputable of all the self-governed industries out there. Stories of rogue admins make the news, for heaven's sake, whereas stories of rogue police officers, nurses, etc. looking up people's data are too common to even be news any more. It's hardly ever the admin themselves (and the only example that comes to mind is the guy who held a city IT department to ransom by changing all the switch and server passwords as protest against new IT arrangements - hardly a genius).
And outsourcing doesn't save you. Your credit card is actually more likely to be scammed - for a start, the reason most companies outsource is because the average wage in those places is significantly less than here and they probably care *more* about your porn browsing habits because in a lot of religious countries in the world it's completely illegal. They would have no incentive, morally, to protect you if you're into something that in their country/religion is completely abhorrent.
I have never known an IT admin (of any rank) do anything illicit with the information at their disposal. Since leaving uni I have controlled the IT for schools *exclusively* while I worked for them - and had full admin access on servers containing everything from payroll to contracts to letters (including resignation letters, disciplinary details etc.). Hell, even instant messaging logs between the head and their deputies. I know this data is there because I see the filenames zip past on backups and I'm occasionally asked to retrieve files from old archives.
It's not at all unusual to have children in schools who are part of witness protection programs, subject to child protection investigations (i.e. dad's beating them up or worse), etc. and the school *MUST* have stored documentation on that, kept for X amount of years, and nowadays that means electronic files.
I take my job extremely seriously and I've never even looked, wouldn't contemplate looking, and actually am surprised at just how much access can be obtained just by being seen as "skilled" in IT. Schools have repeatedly given me their top-level domain administrator passwords in the past, even their backup encryption passwords (those few that have them!), etc. and it's almost too easy to obtain complete permissions to an SQL Server backing any of their school management software. That's not an IT problem as such because they didn't HAVE IT guys (which is why I was brought in) but the IT guys I would hand off to upon leaving, I was trusting with that same class of information.
Hell, I refused to give passwords to a deputy headteacher (about three levels above my boss) once because he wanted to use them for himself and I FORCED him to get the data from the head (principal?) directly. He chased me for weeks after I'd left to get that password, and I never knew if he did get it because only myself and the head (his boss) had it at that point, for handover purposes, and I was leaving/left but he sure as hell didn't get it from me.
And I'm not exactly "in the system" - I was a self-employed, employed-on-word-of-mouth, IT guy not long out of uni, making a living by terminating the school's contract with their borough's IT department (who were universally worthless) and taking over their IT for a year to bring it up to spec so they could handover to *any* IT guy. U
So you can spell repatriating but not subpoenaed?
The UK Post Office delivers to every mainland UK address every single day, and post is delivered "to the door" (i.e. nobody has a "mailbox" at the end of the drive - you have to walk up every drive and physically put it through each front door and then walk back to the street).
A first-class item will get anywhere (if you post it before the closing of whatever post box you choose, usually 5pm) next day, guaranteed, and they will deliver over 600 miles away on a first-class stamp (currently 46p). Franked mail is even cheaper/quicker.
The delivery of the item is the cheap part, it's the handling, speed and mass-transit in the middle that's expensive (petrol / aviation fuel). By comparison hiring a guy to pedal a bike (literally, they give our posties rusty old push-bikes) and deliver to a couple of hundred addresses is nothing.
Same with protests over fuel. In the UK, the government try to raise road taxes, introduce tolls, car-share lanes, congestion charging, parking fees etc. when the only thing that matters is pence per litre. Raise that, and blanket the roads in "no parking", "no gas-guzzlers" signs that are ENFORCED and the hardest-users are hit worse (including those who use higher grades of fuel, drive more, have huge cars, make unnecessary journeys etc.)
I'd much rather pay PAYG extra fuel and not have to keep digging out change/cards, fill in forms, etc. and get a shock at having to pay some things once a year, some every time I fill up, some when I use only a certain road, etc. for the use of the roads.
The only problem with usage-based billing is making sure that the measures are accurate, account for all usage (i.e. not point just metering download if someone else can upload ten times as much and pay less) and work out to the same rates for normal-usage users.
I pay about £10 a month for a basic (lowest package) 30Gb allowance. To me, that means I pay £0.33p per Gb. That seems not unreasonable, given local ISP prices. But if you try to charge me more than that per Gb then we're obviously going to have contention. And if I *do* want to use 100Gb one month, it had better be available because *I'm paying for it*. And if I use 1Gb, you better not charge me more than £0.33p (plus a small monthly fee, I bet!).
You can have it any way you like, PAYG, contract, etc. but the point is that if you bill me by usage, I *will* use what I want, when I want and pay ONLY what I feel is fair under those circumstances. When some telcos are still charging pounds per MEGABYTE for mobile data (and not "Oh, you went over 30Mb, so we limited the speed of your mobile data" like they do with broadband) it seems only right that this "fair" mechanism comes to broadband and is adjusted to meet TODAY'S standards as well as tomorrow's (i.e. don't charge me more than I'm paying now for the same usage).
I don't think they can't (if they really needed to) - I think it's one of their excuses for further funding and to blanket-control everything that enters or leaves the UK electronically:
http://www.theregister.co.uk/2009/02/12/nsa_offers_billions_for_skype_pwnage/
But they have used it as one of the reasons that they need "more power" because they "can't even listen in on Skype". At that point, you have to wonder if they are worth having at all, not give them sympathy, funds and have them employ people at civil-service-wages.
They've been advertising on plain Facebook ads for months, if not years.
Strange that highly qualified computing/maths graduates don't want to snoop on foreign governments (and their own people) when their potential employers are publishing news stories that they can't even intercept Skype calls, are offering zero information on exactly what you're expected to do and how much you'll be paid for it (which is pretty pitiful when they do tell you), etc.
I'm a maths & computing graduate, with a love and special interest for cryptography. I've seen dozens of adverts by both GCHQ and even MI5 for similar positions in papers, online and everywhere you'd normally advertise jobs over the years. They're obviously desperate for recruits (and seeing the dross that passes for university degrees these days, I'm not shocked).
But they don't give you even basic information and the only time GCHQ hits the news is when they want more and more control over your communications despite being less and less relevant since public-key encryption started to become the norm (ironically killed, pretty much, by their own invention).
I think it would be against my principles to actually WORK for them, even if I admire their historical efforts, support the cause to save Bletchley Park, think Turing deserves a little more recognition and respect for his work etc. Nowadays, I just get the impression that GCHQ want to blanket-snoop on my own people for no reason, catch the low-hanging fruit of people too stupid to use encryption (despite the fact that there's not a single recorded instance of someone "breaking" PKE encryption and using the results in a court case, even for terrorism where we've had to let people go or imprison them because we *THINK* they might have something incriminating in the encrypted data), and/or "justify" their existence / funding by creating the occasional terrorist scare story.
I don't think the bulk of the brains want to work for them because of what they've creeped into, it's as simple as that.
Never heard of misinformation? And it would also show just what the candidate is capable of (i.e. keeping up one identity which is false, which may be useful to someone intercepting communications).
And if foreign governments can NAME our cryptographers, I'd be more worried about that in itself, rather than anything else they could find out about them.
"Web browsers should run in a VM session"
Or just have proper isolation and not ***execute*** random code at all.
The problem with Windows is not necessarily programmers, it's the design and the expectations of its users. For some reason, if your email client doesn't automatically execute and display that Powerpoint presentation without warnings, people get annoyed. If the Flash/Java sections of a website aren't seamlessly executed as they load people think things are broken. If the executable they download isn't immediately installable, they question it. If their Word macros don't run when they open the documents, they complain.
The "saviour" of other OS is really the culture (because we're not immune to the same things happening on Linux, etc. you know?) - You *can't* execute code without the execute bit set, and users of the system know WHY that is, and they are careful about what they apply the execute bit to (and we don't put up messages that say "Hey, this isn't executable, shall I do it for you?").
Is there an equivalent concept of "non-executable" on Windows that's usable in an everyday environment for random users? Not really. The nearest you get is Software Restriction policies, but they are a nightmare to manage and nobody uses them (and even then it's still possible to execute random code from the Internet if you just pipe it through a trusted program, e.g. a Word macro).
If you use a decent browser with the correct security, Flash/Java apps appear as nothing more than a play button that *YOU* decide to click and ZERO code is executed from that app until you do (and you'd be amazed how many play buttons I see each day just browsing ordinary websites that I *NEVER* click on because I stop noticing they are there unless I've gone to something that I understand NEEDS to execute a Java app for whatever reason).
Why a web browser NEEDS to run executable code to do its job, I'll never understand - it's nothing more than a renderer, like Ghostscript, except you don't see Ghostscript executing in-built shell commands or machine code in the Postscript its trying to render (though even that's had its fair share of problems, they are NOTHING compared to a browser flaw). Does Internet Explorer even have options to let you selectively load Flash/Java? No (and even on Firefox, it's an additional plugin). Opera has it available by default, though.
Hell, Intel, nVidia, Windows Update etc. encourage you to run an ActiveX or Java app so they can "detect your hardware" to choose the best drivers - does that not throw warning bells to people about how much access it would have to the system if you allowed it? And because it's the largest companies (and even the suppliers of the damn OS) that encourage it, people think that's okay.
The problem of viruses is NOT computer related, it's entirely user-related. Not updating software, not running AV (though I'm against the whole idea of AV, personally, when managing your computer properly works so much better), not clicking Yes, inserting untested storage devices, having Autorun enabled, not having the most basic firewall, etc. The holes that are there are there because of the design / choices / implementation of the OS manufacturer, sure, but they get exploited because of the choices of the user.
The systems that OS vendors have deployed against viruses include anti-virus (the biggest scam of our time, as far as I'm concerned), forcing Autorun off after 10 years of OS deployment, running browsers in separate processes to explorer windows and other ridiculous half-measures.
At no point is there a mention of complete isolation (as in a chroot-style environment - why does a browser EVER need to write to anything other than a single downloads directly that the OS won't let you run programs directly from it?), or of just not executing this crap by default. How many programs actually assign Windows ACL permissions to their folders, for example? Hell, historically WMF's were nothing more than a list of GDI-executed
Hold your breath first, though.
Seriously, fire on board something like that would be about the scariest thing to deal with. With loss of air or something, you don't have time to panic but if the fires are burning at 100th their normal rate but are large enough to be pretty much unextinguishable, you've got a lot of fighting to do before you eventually end up burning.
It'll get into every possible escape route and keep following you, it'll slowly suck up all fuel everywhere (can't just "move stuff away" if the *fire* is floating about), it'll be unpredictable and hard to tell when it's gone out, and it'll get into everything. And you're in a confined tin that you're relying on staying all in one piece to get back home at any point.
The question is: why haven't we researched this more already?