The exact system component that is supposed to mix audio from all applications only works so long it's all under a single user account. The moment user switching comes into play there's got to be some horrible hack to release control of the sound device so that another instance of PA can get it, and if I for any reason want to run an application under another account (for security reasons for instance), it doesn't work anymore. Isn't that wonderful?
Here's what I want: That sound ALWAYS gets mixed. No ifs, no buts. System-wide for anything at all that tries to play sound.
I have a bluetooth headset because with it I can go to the kitchen to get a drink, and still hear the music/voip/etc.
Using speakers would mean letting the people in the nearby flats hear it, and using a wired headset means a much more limited distance, and ocassionally nearly ripping the soundcard out of the computer when the cable turns out to be too short.
If you look at a mailing list for a large project, pretty much all of it is about code. People post code, review patches, argue about what should be done, how, and why.
When people get personal it's almost always for a code related reason. Eg, some people's comments may be badly received, not because they post under a particular name from a particular TLD, but because in the past they've shown themselves to be unreliable, overly uncompromising, or hard to work with.
I also find that in this field it's hard to speak to somebody you don't know without unintentionally offending them. People have diverse backgrounds, with very varying levels of knowledge that aren't always immediately obvious. What a newbie might find enlightening, an expert who has been quietly lurking and not showing the extent of their knowledge may find insulting. Sometimes people may take offense at the attempt to determine the extent of their knowledge.
Well I'd argue that "somebody who looks physically like a man but who thinks they should look like a woman" is a category of "woman," but anyway...
I agree actually
Ok, yes, there may be other reasons to use the account name, but what is the most likely *perception*? Hispanic woman, I'm guessing. So the question is, based on that perception (whether right or wrong) would the poster be treated differently?
I have no clue what americans mean by "hispanic" actually. I worked at companies where pretty much everybody was from a different country, and they all look the same to me, with the exception of really obvious differences like large differences in skin color. I can't tell a bulgarian from a mexican.
Anyway. First, like I said I consider online impressions to be unreliable. Even if for some reason I cared about somebody's gender, online I can't get any accurate information about it, so I would postpone any related decisions until getting a definite conformation in person. Only reason I can see to care about somebody's gender is a romantic interest on my part, which is squarely outside the scope of getting technical things done and IMO entirely legitimate for that purpose. I consider such things inappropiate in settings like a development mailing list though.
When technical subjects are involved, such things are irrelevant and people shouldn't be treated differently because of it. Code is good or bad regardless of who wrote it.
Also, the idea that computers are a male thing seems recent. If you search for photos of ancient computers like the ENIAC, the people who program them are pretty much all women, and the computing field owes much to Ada Lovelace and Grace Hopper.
Not the point I was trying to make, no. And SRS isn't instant. External appearance doesn't necessarily indicate what somebody wishes to be like.
You said "Right there we can probably figure out that you're a Spanish woman, right?"
My point was that no, it might not be a woman, or spanish.
From the name, it could be a mexican living in spain, or using an account they got there. It could be a woman, somebody who looks physically like a man but who thinks they should look like a woman, a husband using a wife's account, somebody using a friend's account, somebody roleplaying using a persona (eg, somebody who created "Aerie, High Priestess of Mystra" in a RPG, then used it as a handle for development work), a man wondering what kind of reception women get...
It's trivial to get any email address you want, for any name, on any TLD. Making assumptions based on that is just not useful.
You can, but it's very easy to get a guess like that wrong.
The country I usually post from isn't the country I was born in.
The domain I post from is usually an US one, which is neither where I was born, nor where I live permanently, nor where I'm located.
Ocassionally I travel, so I may post from a country where I neither live permanently or was born in.
Then, it's not that rare to find somebody posting under a name that looks like real one but really isn't, due to things like gender issues and sex reassignment.
With spanish speaking countries you could be born in one, move to another, and post from an address in the third.
There's a guy in the Perl community who goes by "Abigail". I have ocassionally used nicknames that sound female but actually are a reference to something else entirely.
And really, who cares? Good code is good code, and bad code is bad code, no matter who it came from.
Not irrelevent. My point is that when I'm attending a convention, most people don't know who I am. So going to one doesn't automatically everyone aware of what I look like. In fact nobody may find out if I don't say it.
Unless you take great pains, you communicate your gender (and your race/ethnicity) to anyone who views you..
By outside channels I mean things like IRC. I mean I don't discuss non-coding matters on development channels and lists. Most people don't either.
And even when meeting somebody in person I don't bring that meeting into the development list.
For mutual support when bigotry is encoutered, for simple human interest when it isn't.
Such things should never be brought to a project in the first place.
The only ontopic thing should be code. Things like porn, gender, race and nationality should be all offtopic in the first place, so bigotry shouldn't happen except on technological subjects, because there would never be a legitimate reason to mention such things in the first place.
By the same token, support groups would be also offtopic.
I believe that many, if not most, OSS projects do have conferences and other get-togthers, at least for the project leaders.
Well, sure, I've been to those. But when at a convention I don't yell at random the name under which I submit code. And when I meet somebody face to face I don't then start telling people about what we did at $CONVENTION at the -devel mailing list. I just get back to coding. If I communicate on personal matters I do it through outside channels.
Why would you think that belonging to such a group was intended as a statement about the quality of one's code?
Why would somebody make such a group otherwise?
I wrote this post without looking at your username. I don't know if you might be male or female, or somebody I talked to before. It doesn't matter to me.
When despite my attempts to ignore your RL self you insist in shoving some of it into my face, I can't help but thinking you think it's somehow relevant to getting coding done, because that's what a software project is about. To me, it's as weird as if somebody made a group of Debian users with large noses. It can't possibly have any relevance for anything Debian related, yet for some reason somebody thought the shape of one's nose has some relevance in the Debian community.
Except that that's not the way the world works. People are in fact judged by gender, orientation, race, etcetera, in our society; and those who are (mis)judged by those criteria naturally will band together for support.
But most OSS projects don't work through face to face conversations.
When I post to a mailing list I don't add to each post my gender, orientation, race and so on, and in fact I think doing so would be in bad taste as it'd imply that it somehow makes my code different. I also don't post about my real life, or how I socialize, as none of that has anything to do with coding.
After a couple of decades, it might be possible for "Debian Women" to work themselves out of a job. This recently happened in the martial arts system I belong to, when it was decided that there were enough women in both total enrollment and in the senior ranks that it was no longer necessary to have a special "women's seminar" every year. But the reason that things reached the point that sexism was so reduced in significance was because there was this extra support system in place.
That's very good to hear. But it's not really the sort of thing I'm talking about.
In an OSS project most people don't know your gender, age, location, political inclinations and so on. So why would you explicitly start a movement emphasizing one of those things, as if it said something about the quality of your code? Just contribute, and get respect, or lack of it according to your contributions.
maleness is still the default, the essential; a woman's perspective is considered especially different from a man's but the reverse is never true.
In programming, gender should be irrelevant. If you weren't specifically talking about gender issues I wouldn't have a clue which you are. I don't look at usernames when writing replies.
I've seen code written by both men and women and I couldn't tell who wrote a piece of code.
Slashdot is one of the least female-friendly places on the Internet
Why? I know people make stupid jokes ocassionally. I don't like them either, so I mod them down.
But 99% of the discussion isn't like that, and stupid jokes are that, stupid, and not the main content of the site.
Feminists can't take a joke. The problem is not that feminists can't take a joke. (We can.) The problem is that you can't take feminists seriously.
Feminism, IMO, doesn't belong in programming. Neither does whatever word is the reverse of that, or any kind of gender issue, or anything related to where the coder was born, their appearance, genetics, non-programming related preferences and such things in general.
Programming is about code. Who are you, what you look like, and what kind of hormones you have in your blood are irrelevant.
Criticizing misogyny is a waste of time. This might actually be true here.
I don't disagree the presentation was tasteless. I didn't like it either. I agree it was a very bad idea. But to attempt to extrapolate that to FOSS in general is IMO excessive (where quality of contribution is what matters), and to make it a big issue is counterproductive.
That one project has a moron in an important position doesn't automatically say anything about the rest of them.
Feminists have no lives.
Two things about this. First, for the purposes of contributing to a software project, you're not a woman and I'm not a man: we're both programmers and that is gender, age and species neutral. My contributions are only more relevant than your if they're technically better.
I just have to endure cat calls from sleazy strangers on my walk to work, get interrupted in meetings (and then get pigeonholed as a bitch for standing up for myself), and frequently have to put up with people who are blind to their own privilege. I really, really wish that my having a life would make this all stop.
I can understand it's got to be annoying. But I've got to deal with nonsense every day as well, you know. People called me many things to my face. People also interrupted me at meetings. But I don't bring those issues to a software project; I bring my code.
The ONLY difference is that it's once per authority vs once per certificate. A small company will only need a couple certificates.
Management gets much easier when you do it once per CA cert. Then you never have the issue of "crap, adding this new server means going to all of 50 employees and fixing it". Guaranteed somebody is on vacation or sick.
I'm a firm believer in doing a bit of extra work now, so that you don't have to do it later, when for instance the mail server catches fire. Because that's exactly when you don't want any extra work.
A large company will just buy a glob of certificates from verisign and be done with it.
Why would it? Doing it internally is cheaper. Making a cert takes about one minute.
New person in the company? They get assigned a desk, a computer, given the CA cert and shown what to do with it. They're maybe issued a personal client certificate.
Person leaves the company? Personal certificate gets revoked, VPN server won't accept it anymore.
Being your own CA doesn't protect you from any attacks, as users themselves should never be making the exceptions - per certificate or per authority.
Then why the complaints? Surely all the whining can't be coming from people who think the way it should be done is having a tech going from computer to computer adding a cert.
No, the complaints come from people who think browsers should just shut up about their https://john-doe.com/ having a self-signed cert.
Right, the difference is that you do it once, then always know afterward which certs are good.
I get one CA cert at my company. That's all I ever need. If I'm on the other side of the planet when the mail server catches fire, burns to the ground, and is replaced by one with a new key, I'll still be able to log in securely, because they'll sign the new one with the CA cert.
Then one time in a thousand the guy will get a single password before someone twigs that something funny's going on and calls the cops.
Good luck with that. These days the cops don't care unless it's something very, very substantial. It'll certainly take something bigger than "I think somebody might have got my bank's password". Most of the time the cop will have no clue what the hell you're talking about. And if they do it'll just get filed and stay archived, unless they catch the guy for some other reason and figure out some of the money was your. In any case, even if they believe you, the police aren't going to give your money back.
Even in the worst case the risk-benefit ratio is thousands of times better for phishing, even if you don't bother getting a valid certificate for bank0famerica.com.
That is a better point. Though IMO hanging out in the right area (like one full of big companies) might net something juicier than a random Joe's bank account.
I mean he's seriously odd in RL. It's immediately obvious even at short conferences.
I don't think he's as much sexist as completely tactless and out of touch with the way you're supposed to behave in public, because he's got an overall very strange way of behaving that pretty much anybody, of any gender is going to find bizarre.
I don't think he makes a good example of sexism because that one incident is just a tiny part of his weirdness. It's like including somebody with a bad case of autism in a list of very shy people. Not only that's not even half of his problems, but the root issue is probably something entirely different.
OSS projects are for coding. I don't really care if you're a man, woman, or cat that somehow managed to learn to use a keyboard. People are valued in OSS projects for their coding contributions. I'm not really surprised that people with an agenda not relating to getting things done don't get a pleasant welcome.
Note that I don't have any issues with anybody at all participanting. Whether a man, woman, or alien, computer, or brain in a vat, come and code.
But I don't think something like this should really exist in something like Debian. There shouldn't be a "Debian Women", "Debian LGBT", "Debian Minusvalids" or "Debian Furries" project not because it's somehow wrong for such people to participate (I belong to one of the listed categories), but because such things should be completely irrelevant and everybody should be only judged by the value of the code, art, etc they contribute.
Where did I suggest that the browser accept a self-signed cert to replace a CA-signed cert?
What if the first one they got was self-signed? What if they got a new laptop, or reformatted their computer so the browser doesn't know what the site had before?
You can only be reasonably sure you're getting the right cert when already having a secure connection to the target server. That only works when you're on a LAN at home, or on a LAN at work.
None of that applies to online shopping.
Unless their bank is actually using self-signed certs, they won't be given the opportunity.
They will be if somebody performs a MITM. There's no way for the browser to know "Banks are supposed to use a Verisign issued cert, home servers are OK with a self-signed one". Unless the user configures it somehow, and most users don't have a clue.
Banks also change certs, because they expire, or because the bank wants to change the CA (because it went bankrupt, doesn't offer extended validation, screwed something up, whatever).
Contracts aren't a guarantee. They may sign a contract and not follow the terms. They may go bankrupt. A massive failure may make the total amount of compensation to be paid larger than the money the company has. If you're a small customer, they may be able to screw you over and ignore it, because suing isn't worthwile.
Even if a service ended up paying me for a data loss there's still information that can't be replaced.
I can't take another photo of my dead cat.
A company may not be able to rebuild a database regardless of the amount of compensation it gets -- the data may not exist anywhere else. The loss of trust by the clients may never be replaced.
If you have something really important, back it up yourself, and ensure it's being done right.
Or when the value to an attacker of an MITM attack is less than the cost of performing one, considering that the value of performing a MITM attack drops close to zero almost as soon as it's detected. For most of the websites that are currently not using any encryption because TLS is a pain in the backside, the probability of detection from any attack carried out on a large enough scale to be of any value to the attacker is very high... even if that value is only measured in "lulz".
This sounds to make like the assumption many people make: I don't need secure. Who would be interested in my cat photos? Security is for banks.
But, a MITM can be set up automatically. Take a laptop, set up an open access point at a well populated place, and log all SSL traffic. Eventually you'll catch somebody accepting your self-signed cert for their bank's website. If somebody figures out, it doesn't matter as they don't know who or where you are. You could set up such a system in your car's trunk, and go look at monuments and drink coffee in a bar without looking suspicious in the slightest.
Implementing an SSH-style mechanism would... within a matter of months at the most... allow EVERY new installation of Apache or any other web server to automatically and painlessly self-certify, by default. Sniffers would become increasingly useless as time went on.
I think it would fail horribly.
SSH's security relies on that first you get your key from an internal, secure network. Then if when using an external, unsecure network you see something's up when the key changes. The security hinges on knowing the difference between when there's likely to be a compromise and when there isn't. I'm sure 99% people don't understand that. For an user, networks are magic. They won't understand the difference between connecting through a LAN at home, unencrypted wifi to their home AP, LAN at a friend's house and random open AP they found somewhere.
Actually IMO browsers should refuse self-signed certs outright, with no way to work around it.
Where did I suggest that a bank use a self-signed certificate?
You didn't, but implementing such a system implies that self-signed certs are OK. For you, it's "they're OK in certain, well defined cases". Most people will understand "they're always OK, even from the bank" and will happily accept a self-signed cert from their bank.
SSL was indeed made to solve a different problem. And while sometimes ocassionally inconvenient IMO it's much better than the alternative.
Setting up services that work on a basis of "It's the same server as yesterday" only works well in two cases: When it's a company system, and when it's your own home server.
In the case of a company this works only until a certain point. It'll instantly become a problem if at your company people travel, and a server gets a new key for some reason while somebody is abroad.
In the case of doing it a home, you're knowledgeable enough already, so making a CA cert shouldn't be such a big deal. And current tools like tinyca make it very easy, no need to mess with openssl commands.
For most of the normal people such systems are not only not effective, but harmful. Knowing that a bank's cert is the same it was yesterday is of absolutely no use to anybody who doesn't work in the bank's data center.
Uh, simply add that self-signed cert once. Someone in IT will do it.
Then another time for the website, and another one for the IM server, another time for the VPN, and a couple times more when servers get replaced...
Setting up a CA is a long term solution that only needs to be done once. You can then generate a new cert that will be recognized as valid by somebody in another country.
Setting up your own CA doesn't fix the problems you mentioned (random access point fud).
Yes it does.
If you're lucky: You go to https://example.com./ It uses a self-signed cert. You accept it, connect to the right server. All is good.
If you're not: You go to https://example.com./ It uses a self-signed cert. The man in the middle examines your cert, makes another self-signed one with the same details, and presents that to you. You accept it. Connect to the man in the middle who then connect to your server. You read your mail, administrate your servers and so on, while somebody is quietly logging all that data.
With a CA, your cert would be signed by the company's cert. Your company can sign certs with its key, but some random guy running an AP for nefarious purposes can't. The best he can do is to make a self-signed cert with your company's details, but you're not stupid enough to ignore that, are you?
Well, in that case, why do you have a problem with doing certs properly?
Get tinyca or something similar. Make a CA cert, and import it in all your browsers and applications. Then use it to sign keys for various services. With the CA cert there, any key it signs will be automatically valid.
When you're ssh-ing into your computer, how many precautions do you take?
Do you never, ever ssh from a device you don't personally trust completely? Do you remember or have written down your SSH server's fingerprint so that you can tell it's the right one? If you for instance go on vacation, ssh from your laptop to your server and get the wrong fingerprint, do you abort and wait until you get home to sort it out?
If you said no to any of these, you're not really very secure.
I do all these things, but most people who use SSH don't. I've seen administration scripts written with "expect" to automatically accept an unrecognized key.
Finally there's the suggestion that browsers never permit people to accept certificates that have expired or are self-signed. I'm sorry, but that's just not going to fly. I find the current plethora of hoops I have to jump through with Firefox annoying enough. If I want to sign a cert so my employees can read their mail with a web browser, what's wrong with that?
That it's pointless and doesn't work?
If your employees every day click on "Ignore self-signed cert" button, then they'll click on it the time when they connect to some random open access point that's set up to generate self-signed certs for any SSL website.
It's worse than no encryption. With no encryption you know there isn't any security. With encryption you think there is, all while your internal company mail is passing through a system intentionally set up to log all traffic for malicious purposes.
You can fix it easily though. All you need is to setup your own CA. Use something like tinyca. Generate a CA cert, make certs for your employees, sign then with the CA, then get them to import the CA certs into their browsers. Then any further certs you sign with that CA will be automatically trusted. Every browser will stop complaining if you give it your CA cert.
What's important is that they're not supposed to be able to get one for a domain not of their own. So for instance, a Microsoft employee can't get a cert for paypal.com then sit somewhere between your network and the internet and perform a man in the middle attack.
Slashdot Mirror
IMHO that sucks donkey balls.
The exact system component that is supposed to mix audio from all applications only works so long it's all under a single user account. The moment user switching comes into play there's got to be some horrible hack to release control of the sound device so that another instance of PA can get it, and if I for any reason want to run an application under another account (for security reasons for instance), it doesn't work anymore. Isn't that wonderful?
Here's what I want: That sound ALWAYS gets mixed. No ifs, no buts. System-wide for anything at all that tries to play sound.
Because bluetooth is wireless and USB isn't.
I have a bluetooth headset because with it I can go to the kitchen to get a drink, and still hear the music/voip/etc.
Using speakers would mean letting the people in the nearby flats hear it, and using a wired headset means a much more limited distance, and ocassionally nearly ripping the soundcard out of the computer when the cable turns out to be too short.
I don't think my attitude is that rare.
If you look at a mailing list for a large project, pretty much all of it is about code. People post code, review patches, argue about what should be done, how, and why.
When people get personal it's almost always for a code related reason. Eg, some people's comments may be badly received, not because they post under a particular name from a particular TLD, but because in the past they've shown themselves to be unreliable, overly uncompromising, or hard to work with.
I also find that in this field it's hard to speak to somebody you don't know without unintentionally offending them. People have diverse backgrounds, with very varying levels of knowledge that aren't always immediately obvious. What a newbie might find enlightening, an expert who has been quietly lurking and not showing the extent of their knowledge may find insulting. Sometimes people may take offense at the attempt to determine the extent of their knowledge.
I agree actually
I have no clue what americans mean by "hispanic" actually. I worked at companies where pretty much everybody was from a different country, and they all look the same to me, with the exception of really obvious differences like large differences in skin color. I can't tell a bulgarian from a mexican.
Anyway. First, like I said I consider online impressions to be unreliable. Even if for some reason I cared about somebody's gender, online I can't get any accurate information about it, so I would postpone any related decisions until getting a definite conformation in person. Only reason I can see to care about somebody's gender is a romantic interest on my part, which is squarely outside the scope of getting technical things done and IMO entirely legitimate for that purpose. I consider such things inappropiate in settings like a development mailing list though.
When technical subjects are involved, such things are irrelevant and people shouldn't be treated differently because of it. Code is good or bad regardless of who wrote it.
Also, the idea that computers are a male thing seems recent. If you search for photos of ancient computers like the ENIAC, the people who program them are pretty much all women, and the computing field owes much to Ada Lovelace and Grace Hopper.
Not the point I was trying to make, no. And SRS isn't instant. External appearance doesn't necessarily indicate what somebody wishes to be like.
You said "Right there we can probably figure out that you're a Spanish woman, right?"
My point was that no, it might not be a woman, or spanish.
From the name, it could be a mexican living in spain, or using an account they got there. It could be a woman, somebody who looks physically like a man but who thinks they should look like a woman, a husband using a wife's account, somebody using a friend's account, somebody roleplaying using a persona (eg, somebody who created "Aerie, High Priestess of Mystra" in a RPG, then used it as a handle for development work), a man wondering what kind of reception women get...
It's trivial to get any email address you want, for any name, on any TLD. Making assumptions based on that is just not useful.
You can, but it's very easy to get a guess like that wrong.
The country I usually post from isn't the country I was born in.
The domain I post from is usually an US one, which is neither where I was born, nor where I live permanently, nor where I'm located.
Ocassionally I travel, so I may post from a country where I neither live permanently or was born in.
Then, it's not that rare to find somebody posting under a name that looks like real one but really isn't, due to things like gender issues and sex reassignment.
With spanish speaking countries you could be born in one, move to another, and post from an address in the third.
There's a guy in the Perl community who goes by "Abigail". I have ocassionally used nicknames that sound female but actually are a reference to something else entirely.
And really, who cares? Good code is good code, and bad code is bad code, no matter who it came from.
Not irrelevent. My point is that when I'm attending a convention, most people don't know who I am. So going to one doesn't automatically everyone aware of what I look like. In fact nobody may find out if I don't say it.
By outside channels I mean things like IRC. I mean I don't discuss non-coding matters on development channels and lists. Most people don't either.
And even when meeting somebody in person I don't bring that meeting into the development list.
Such things should never be brought to a project in the first place.
The only ontopic thing should be code. Things like porn, gender, race and nationality should be all offtopic in the first place, so bigotry shouldn't happen except on technological subjects, because there would never be a legitimate reason to mention such things in the first place.
By the same token, support groups would be also offtopic.
Well, sure, I've been to those. But when at a convention I don't yell at random the name under which I submit code. And when I meet somebody face to face I don't then start telling people about what we did at $CONVENTION at the -devel mailing list. I just get back to coding. If I communicate on personal matters I do it through outside channels.
Why would somebody make such a group otherwise?
I wrote this post without looking at your username. I don't know if you might be male or female, or somebody I talked to before. It doesn't matter to me.
When despite my attempts to ignore your RL self you insist in shoving some of it into my face, I can't help but thinking you think it's somehow relevant to getting coding done, because that's what a software project is about. To me, it's as weird as if somebody made a group of Debian users with large noses. It can't possibly have any relevance for anything Debian related, yet for some reason somebody thought the shape of one's nose has some relevance in the Debian community.
But most OSS projects don't work through face to face conversations.
When I post to a mailing list I don't add to each post my gender, orientation, race and so on, and in fact I think doing so would be in bad taste as it'd imply that it somehow makes my code different. I also don't post about my real life, or how I socialize, as none of that has anything to do with coding.
That's very good to hear. But it's not really the sort of thing I'm talking about.
In an OSS project most people don't know your gender, age, location, political inclinations and so on. So why would you explicitly start a movement emphasizing one of those things, as if it said something about the quality of your code? Just contribute, and get respect, or lack of it according to your contributions.
In programming, gender should be irrelevant. If you weren't specifically talking about gender issues I wouldn't have a clue which you are. I don't look at usernames when writing replies.
I've seen code written by both men and women and I couldn't tell who wrote a piece of code.
Why? I know people make stupid jokes ocassionally. I don't like them either, so I mod them down.
But 99% of the discussion isn't like that, and stupid jokes are that, stupid, and not the main content of the site.
Feminism, IMO, doesn't belong in programming. Neither does whatever word is the reverse of that, or any kind of gender issue, or anything related to where the coder was born, their appearance, genetics, non-programming related preferences and such things in general.
Programming is about code. Who are you, what you look like, and what kind of hormones you have in your blood are irrelevant.
I don't disagree the presentation was tasteless. I didn't like it either. I agree it was a very bad idea. But to attempt to extrapolate that to FOSS in general is IMO excessive (where quality of contribution is what matters), and to make it a big issue is counterproductive.
That one project has a moron in an important position doesn't automatically say anything about the rest of them.
Two things about this. First, for the purposes of contributing to a software project, you're not a woman and I'm not a man: we're both programmers and that is gender, age and species neutral. My contributions are only more relevant than your if they're technically better.
I can understand it's got to be annoying. But I've got to deal with nonsense every day as well, you know. People called me many things to my face. People also interrupted me at meetings. But I don't bring those issues to a software project; I bring my code.
Management gets much easier when you do it once per CA cert. Then you never have the issue of "crap, adding this new server means going to all of 50 employees and fixing it". Guaranteed somebody is on vacation or sick.
I'm a firm believer in doing a bit of extra work now, so that you don't have to do it later, when for instance the mail server catches fire. Because that's exactly when you don't want any extra work.
Why would it? Doing it internally is cheaper. Making a cert takes about one minute.
New person in the company? They get assigned a desk, a computer, given the CA cert and shown what to do with it. They're maybe issued a personal client certificate.
Person leaves the company? Personal certificate gets revoked, VPN server won't accept it anymore.
Then why the complaints? Surely all the whining can't be coming from people who think the way it should be done is having a tech going from computer to computer adding a cert.
No, the complaints come from people who think browsers should just shut up about their https://john-doe.com/ having a self-signed cert.
Right, the difference is that you do it once, then always know afterward which certs are good.
I get one CA cert at my company. That's all I ever need. If I'm on the other side of the planet when the mail server catches fire, burns to the ground, and is replaced by one with a new key, I'll still be able to log in securely, because they'll sign the new one with the CA cert.
Good luck with that. These days the cops don't care unless it's something very, very substantial. It'll certainly take something bigger than "I think somebody might have got my bank's password". Most of the time the cop will have no clue what the hell you're talking about. And if they do it'll just get filed and stay archived, unless they catch the guy for some other reason and figure out some of the money was your. In any case, even if they believe you, the police aren't going to give your money back.
That is a better point. Though IMO hanging out in the right area (like one full of big companies) might net something juicier than a random Joe's bank account.
RMS is just... weird.
I mean he's seriously odd in RL. It's immediately obvious even at short conferences.
I don't think he's as much sexist as completely tactless and out of touch with the way you're supposed to behave in public, because he's got an overall very strange way of behaving that pretty much anybody, of any gender is going to find bizarre.
I don't think he makes a good example of sexism because that one incident is just a tiny part of his weirdness. It's like including somebody with a bad case of autism in a list of very shy people. Not only that's not even half of his problems, but the root issue is probably something entirely different.
Actually, the last part I can kind of understand.
OSS projects are for coding. I don't really care if you're a man, woman, or cat that somehow managed to learn to use a keyboard. People are valued in OSS projects for their coding contributions. I'm not really surprised that people with an agenda not relating to getting things done don't get a pleasant welcome.
Note that I don't have any issues with anybody at all participanting. Whether a man, woman, or alien, computer, or brain in a vat, come and code.
But I don't think something like this should really exist in something like Debian. There shouldn't be a "Debian Women", "Debian LGBT", "Debian Minusvalids" or "Debian Furries" project not because it's somehow wrong for such people to participate (I belong to one of the listed categories), but because such things should be completely irrelevant and everybody should be only judged by the value of the code, art, etc they contribute.
What if the first one they got was self-signed? What if they got a new laptop, or reformatted their computer so the browser doesn't know what the site had before?
You can only be reasonably sure you're getting the right cert when already having a secure connection to the target server. That only works when you're on a LAN at home, or on a LAN at work.
None of that applies to online shopping.
They will be if somebody performs a MITM. There's no way for the browser to know "Banks are supposed to use a Verisign issued cert, home servers are OK with a self-signed one". Unless the user configures it somehow, and most users don't have a clue.
Banks also change certs, because they expire, or because the bank wants to change the CA (because it went bankrupt, doesn't offer extended validation, screwed something up, whatever).
Contracts aren't a guarantee. They may sign a contract and not follow the terms. They may go bankrupt. A massive failure may make the total amount of compensation to be paid larger than the money the company has. If you're a small customer, they may be able to screw you over and ignore it, because suing isn't worthwile.
Even if a service ended up paying me for a data loss there's still information that can't be replaced.
I can't take another photo of my dead cat.
A company may not be able to rebuild a database regardless of the amount of compensation it gets -- the data may not exist anywhere else. The loss of trust by the clients may never be replaced.
If you have something really important, back it up yourself, and ensure it's being done right.
This sounds to make like the assumption many people make: I don't need secure. Who would be interested in my cat photos? Security is for banks.
But, a MITM can be set up automatically. Take a laptop, set up an open access point at a well populated place, and log all SSL traffic. Eventually you'll catch somebody accepting your self-signed cert for their bank's website. If somebody figures out, it doesn't matter as they don't know who or where you are. You could set up such a system in your car's trunk, and go look at monuments and drink coffee in a bar without looking suspicious in the slightest.
I think it would fail horribly.
SSH's security relies on that first you get your key from an internal, secure network. Then if when using an external, unsecure network you see something's up when the key changes. The security hinges on knowing the difference between when there's likely to be a compromise and when there isn't. I'm sure 99% people don't understand that. For an user, networks are magic. They won't understand the difference between connecting through a LAN at home, unencrypted wifi to their home AP, LAN at a friend's house and random open AP they found somewhere.
Actually IMO browsers should refuse self-signed certs outright, with no way to work around it.
You didn't, but implementing such a system implies that self-signed certs are OK. For you, it's "they're OK in certain, well defined cases". Most people will understand "they're always OK, even from the bank" and will happily accept a self-signed cert from their bank.
SSL was indeed made to solve a different problem. And while sometimes ocassionally inconvenient IMO it's much better than the alternative.
Setting up services that work on a basis of "It's the same server as yesterday" only works well in two cases: When it's a company system, and when it's your own home server.
In the case of a company this works only until a certain point. It'll instantly become a problem if at your company people travel, and a server gets a new key for some reason while somebody is abroad.
In the case of doing it a home, you're knowledgeable enough already, so making a CA cert shouldn't be such a big deal. And current tools like tinyca make it very easy, no need to mess with openssl commands.
For most of the normal people such systems are not only not effective, but harmful. Knowing that a bank's cert is the same it was yesterday is of absolutely no use to anybody who doesn't work in the bank's data center.
Then another time for the website, and another one for the IM server, another time for the VPN, and a couple times more when servers get replaced...
Setting up a CA is a long term solution that only needs to be done once. You can then generate a new cert that will be recognized as valid by somebody in another country.
Yes it does.
If you're lucky:
You go to https://example.com./ It uses a self-signed cert. You accept it, connect to the right server. All is good.
If you're not:
You go to https://example.com./ It uses a self-signed cert. The man in the middle examines your cert, makes another self-signed one with the same details, and presents that to you. You accept it. Connect to the man in the middle who then connect to your server. You read your mail, administrate your servers and so on, while somebody is quietly logging all that data.
With a CA, your cert would be signed by the company's cert. Your company can sign certs with its key, but some random guy running an AP for nefarious purposes can't. The best he can do is to make a self-signed cert with your company's details, but you're not stupid enough to ignore that, are you?
Well, in that case, why do you have a problem with doing certs properly?
Get tinyca or something similar. Make a CA cert, and import it in all your browsers and applications. Then use it to sign keys for various services. With the CA cert there, any key it signs will be automatically valid.
This is awfully convenient. Something that at least to my eyes looks a lot like a cloud crashes. Cloud pundits announce:
"if it loses your data - it's not a cloud".
So if Amazon's S3 ever fails horribly and loses everybody's data, then it wasn't a cloud either.
Here's a question:
When you're ssh-ing into your computer, how many precautions do you take?
Do you never, ever ssh from a device you don't personally trust completely?
Do you remember or have written down your SSH server's fingerprint so that you can tell it's the right one?
If you for instance go on vacation, ssh from your laptop to your server and get the wrong fingerprint, do you abort and wait until you get home to sort it out?
If you said no to any of these, you're not really very secure.
I do all these things, but most people who use SSH don't. I've seen administration scripts written with "expect" to automatically accept an unrecognized key.
That it's pointless and doesn't work?
If your employees every day click on "Ignore self-signed cert" button, then they'll click on it the time when they connect to some random open access point that's set up to generate self-signed certs for any SSL website.
It's worse than no encryption. With no encryption you know there isn't any security. With encryption you think there is, all while your internal company mail is passing through a system intentionally set up to log all traffic for malicious purposes.
You can fix it easily though. All you need is to setup your own CA. Use something like tinyca. Generate a CA cert, make certs for your employees, sign then with the CA, then get them to import the CA certs into their browsers. Then any further certs you sign with that CA will be automatically trusted. Every browser will stop complaining if you give it your CA cert.
Any company can get a cert.
What's important is that they're not supposed to be able to get one for a domain not of their own. So for instance, a Microsoft employee can't get a cert for paypal.com then sit somewhere between your network and the internet and perform a man in the middle attack.