Well put. Most people are laughing because they think the Internet is not a series of tubes - to be fair, a "series of tubes" implies a single path, rather than an interconnected network, so it doesn't describe the whole Internet, and it's an oversimplification that doesn't take multihoming into account. However, the "series of tubes" metaphor could easily describe the path from one host to another, and it's a great way to explain bottlenecks. Everybody can understand that when you connect a series of 4" pipes with a drinking straw on one end, the rate that water can flow through the whole "series of tubes" will be no more than what can fit through the straw.
And like I said, I was originally just going to post something about how it's actually a good metaphor, but then I listened to an excerpt from the speech and realized that he was using the metaphor completely inappropriately (talking about the tubes getting clogged because people are treating them like a truck), and then I listened to more of the speech, and the more I listened to it, the more upset I became. Ugh.
It's unfortunate that the "series of tubes" phrase is what everybody pounced on. Network connections have been referred to as "pipes" for years; it's a useful metaphor.
The trouble is, Stevens didn't use the metaphor correctly. I was going to post a reply essentially agreeing with you about the "series of tubes" thing, but then I actually listened to the rest of what he said, and it quickly became clear that he really doesn't understand what he's talking about, but he can make it sound like he is fighting for rights of the average consumer while advocating a policy of laissez-faire.
Some of the juicier bits:
And what happens to your own personal Internet? I just the other day got... an Internet was sent by my staff at 10:00 in the morning on Friday; I got it yesterday. Why? Because it got tangled up with all these things that are going on the Internet commercially! [...]
And here we have this one situation where enormous entities want to use the Internet for their purpose, to save money doing what they're doing now. They use FedEx, they use delivery services, they use the mail, they deliver in other ways, but they want to deliver vast amounts of information over the Internet, and again, the Internet is not something you just dump something on - it's not a big truck, it's a series of tubes. And if you don't understand those tubes can be filled, and if they're filled, when you put your message in it gets in line; it's gonna be delayed by anyone that puts into that tube enormous amounts of material - enormous amounts of material. [...]
Maybe there is a place for a commercial net. But it's not using what the consumers use everyday. It's not using the messaging service that I think is essential, I think, to small business, it's essential to our operation of families - the whole concept is that we should not go into this until someone shows that there's something that's been done that really is a violation of Net Neutrality that is you and me.
Stevens is saying that commercial use of the Internet (to do things like offer video streaming to paying customers) is clogging up the Internet, causing the rest of us (individuals, families, small businesses) who rely on the Internet for communication to have our e-mail delayed just like his was, and that maybe the companies who want to offer these kinds of services should go build their own network and leave ours alone. After all, the Department of Defense has its own network - why? Because they can't afford to rely on the same Internet the rest of us use, in case it should be clogged up by whatever it is that big corporations our polluting the Internet with.
So what's the solution to this? The solution is to not pass legislation to require Network Neutrality, because there haven't been any actual violations of Network Neutrality yet - or rather, there haven't been any that directly affect "you and me". Instead, we should say "no" to the greedy corporations that support NN, and revisit the issue if not having NN starts causing problems that Stevens can actually understand.
Unbelievable.
I want this man out of my Senate. I wish he could be kicked out for this, but if he loses his seat for lying about the bribes he's been taking instead, I guess that will have to do.
Firefox gained visibility and market share after being ported to Windows and not before.
Uhh, if I'm not mistaken, Firefox has always been available for Windows, since its inception (as "Phoenix"). Netscape Navigator (its predecessor) has always supported Windows as well (although of course it was Windows 3.1 with a third-party TCP/IP stack back in 1994).
I'm getting the same error on Mac OS X 10.4 in both Firefox and Safari, as well as Safari on Windows Vista. In Firefox on Windows, it asks me to install Silverlight and the Move Networks plugin.
Presumably there would be balconies, and although it might be a slightly longer walk than a few flights of stairs, you could definitely get out of the building.
...those who halted BAD legislation by not just voting against more government intrusions into the market, but...
While you're absolutely right about most of what you said, I just wanted to point out that "government intrusions into the market" aren't always bad. The antitrust case against Microsoft (that Bush aborted, but did at least force them to back down on some of their abusive tactics) was a government intrusion into the market. Network Neutrality is government intrusion into the market; note the FCCs investigation of Comcast breaking BitTorrent. There are plenty of other areas I desperately WANT the government to meddle in, and it frustrates me that both major parties are so beholden to corporate interests.
Raw unbridled capitalism doesn't work; the free market must be tempered, or we'd end up with the whole world owned by one big huge monopoly. Unfortunately, our government has not been doing its job well, but just because they usually manage to botch things whenever they interfere doesn't mean the alternative isn't even worse.
Every senator's vote counts the same. Biden is already in the senate, so if he's elected VP the real difference maker will be whoever replaces his old senate seat.
What are the odds that Sen. Biden's constituents will elect whoever Biden recommends to succeed him, i.e. another Democrat? It actually does tip the scale slightly.
They Bush administration got exactly what they wanted in Afghanistan and Iraq,
No, what they wanted was for the Iraqi people to greet us as liberators, and to begin withdrawing our troops from a peaceful democratic Iraq by around 2004. Oh, and did I mention the profits from Iraq's oil sales were supposed to bankroll the whole thing, so it wouldn't cost the American taxpayer anything? Of course most of us would call this plan criminally stupid, but that was the plan.
they got exactly what they wanted with the Patriot Act
Yes, I wonder how long they'd had that bit of legislation sitting around waiting for the right opportunity.
the FISA bill, wiretapping,
No, they just didn't want anyone to find out they were doing it. They're happy with the recent modification to FISA, of course, but their intention was to simply ignore the law, not change it.
no-fly lists,
I'm not sure how really this benefits anybody. Although Ted Kennedy getting on the list was pretty funny.
they got exactly what they wanted on things like the bankruptcy bill,
I can't speak to this; I'm sure you're right.
now they even got Poland and the Czech Republic to agree to the missile shield, even though it doesn't even work and in both countries the majority of the population are opposed to the project.
Yeah, that was a neat piece of diplomacy. Of course it doesn't work, but that was never the goal of the project - the goal was to line somebody's pockets. Any actual security benefits are icing on the cake.
If you consistently get what you want for 7 years, that's not exactly incompetence.
If they'd gotten exactly what they wanted, Bush's approval rating would be a bit higher than 30%. We came awfully close to electing John Kerry in 2004 even though nobody (including Democrats) actually liked him. Yes, it's a testament to the genius of Karl Rove that Bush managed to get reelected anyway, and that we haven't yet found evidence of deliberate vote tampering by Diebold, but it was a lot closer than they would have liked.
Only if there are exploitable holes in the kernel. For anything else, you can just restart the service.
But there are.
How frequently? And are they DoS or privilege elevation attacks? I might be willing to risk the former, as long as I'm safe from the latter, and neither is possible without first compromising a daemon (on a box without user logins).
That's a reasonable idea... except that users have learned that "https" is synonymous with the padlock icon. The padlock is different in different browsers (Safari shows it in the corner of the titlebar, for example), and I think users are more likely to look at the URL than the padlock icon. Obviously this could change, if the padlock icon were made more prominent (and consistent across browsers) and users were retrained. In the mean time, most users (who are savvy enough to know anything about encryption at all) won't notice the difference between the real https://www.paypal.com/ (with the padlock icon to show the cert is signed by a trusted CA) and a fake https://www.paypal.com/ (without the padlock icon because it's a phishing site on a free wifi connection with a malicious DNS server).
Fedora is NOT appropriate for a production environment, period.
This is entirely dependent on what your production environment does, what its requirements are, and what your server infrastructure looks like. Not every environment has the problem where switching out OS versions is a big deal or results in downtime.
Alright, fair enough... but replacing the OS every year is definitely not what comes to mind when I think "production environment", even if you can do so without downtime. YMMV.
Sorry, that won't help. Imagine some evildoer sets up an open wifi network with SSID "linksys", and configures their DHCP server to point to their own DNS server. Their DNS server is set to return valid results for everything except bankofamerica.com, for which it will return almost (but not quite) the correct results.
"But wait," you say, "I don't have to use their DNS servers, I can just set my client to use DNS servers I trust even though I'm using the IP address assigned by their DHCP server!" Fine, but average users won't (and shouldn't) do this, and the malicious network can also reroute all outbound traffic on port 53, regardless of intended destination, to their own server anyway.
No, authentication can't rely on the same Internet that's used to connect to the site. That's why SSL works: your browser is already pre-configured with a list of trusted CAs, so any cert signed with a CA that your browser didn't already know about isn't trusted.
the certificate is also available to everybody who wants to be MITM, since it's part of the firmware of every router.
Could easily be made more difficult to find. But if that's the case, why not vanilla HTTP?
No, actually this is a very valid point. Someone could extract the private key from the router's firmware (or from a firmware update image downloaded from Linksys' web site), and then they'd have the key used by all Linksys routers. Off the top of my head I'm not sure how this could be exploited... I guess you could set up a MITM attack between the IT guy and the router, so he'd log into your fake site with the real router's admin password...
Which is exactly what HTTP does, it provides you with a false sense of security (as in, no warnings at all),
You don't get it. HTTP doesn't provide a false sense of security, because HTTP doesn't provide ANY sense of security. It doesn't pretend to be secure. It never has. In fact, the first time you submit a form over HTTP, you'll get a warning about how insecure it is.
Nobody is saying "no warnings = secure". We're saying "the little padlock icon that indicates the site is secure = secure, unless there's a warning". If you eliminate the warnings for self-signed certs, then you eliminate most of the security of HTTPS (it'll still protect you from packet sniffing, but not MITM).
You seem to have included an extra 0 in your price.
These guys will sell an SSL cert for $15, or $12/yr if you buy 5 years. I'm not sure who's offering $10, but somebody probably is. They verify your e-mail address and phone number, and take a recording of your voice over the phone. None of this proves anything, but it does make you a bit easier to track down in case you set up a phishing site.
You might want to add that Mom and pop users should never go to a website using basic http. Since many phishing sites don't bother with https. The ones that do use https could set up a domain name like www.phish.com/paypal and get their certificate signed by a thirdparty. Now those Mom and pop users can go to the https site will a full sense of security. Do you think that mom and pop users will tell the difference? I know my Mom wouldn't.
Mom and Pop should keep a bookmark for secure sites they visit, such as PayPal or their bank, make sure the URL starts with "https", and always use the bookmark to go to the site, never click a link from an e-mail message.
Yes, somebody could get a certificate for https://www.phish.com/paypal, but Mom & Pop's bookmark will never take them there. If they're just typing in "www.paypal.com" (without the https), then a man-in-the-middle attack could redirect them to https://www.phish.com/paypal.
Why are we being told that we must get permission from a "trusted" authority in order to "legitimately" use encryption?
Because a certificate signed by a trusted authority is the only way to eliminate spoofing and man-in-the-middle attacks, such as those that are possible with a DNS exploit, or setting up an open wireless network and setting the SSID to "linksys".
I know of a company that sells caching proxy servers that support HTTPS; their clients use them on corporate LANs and they can see the contents of encrypted HTTPS sessions. This lets them do things like scan outgoing messages for sensitive information to detect when an employee might be using GMail to e-mail confidential documents to someone, even though the connection is encrypted. What makes this possible is, the client's IT department configures everyone's browsers to accept this company's own fake CA key, so they can spoof all HTTPS sites with a self-signed certificate. So it only works in a corporate LAN environment - and the only reason it doesn't work everywhere else too is because SSL certs have to be signed by a trusted CA.
The only possible alternative is to do what SSH does: exchange keys on the first connection, and just assume that you're probably on a trusted network the first time you log in. Then you get a security warning if the server's public key changes. Most of the time this is good enough, but when it comes to online banking, I'd rather be sure.
They're using the automatic update functionality that was built into Firefox 2.
Did they ask for consent?
I don't recall whether you're asked about this at installation or not. Perhaps not, but there is an option in Preferences.
Are they installing something without permission?
No, in fact they're not even asking permission to install something, they're just alerting the user that the user needs to take action, because if they don't, after December any newly-discovered security holes will not be patched.
If Mozilla can do this sort of thing, doesn't that SCREAM spyware/trojan vulnerability?
Slashdot Mirror
Well put. Most people are laughing because they think the Internet is not a series of tubes - to be fair, a "series of tubes" implies a single path, rather than an interconnected network, so it doesn't describe the whole Internet, and it's an oversimplification that doesn't take multihoming into account. However, the "series of tubes" metaphor could easily describe the path from one host to another, and it's a great way to explain bottlenecks. Everybody can understand that when you connect a series of 4" pipes with a drinking straw on one end, the rate that water can flow through the whole "series of tubes" will be no more than what can fit through the straw.
And like I said, I was originally just going to post something about how it's actually a good metaphor, but then I listened to an excerpt from the speech and realized that he was using the metaphor completely inappropriately (talking about the tubes getting clogged because people are treating them like a truck), and then I listened to more of the speech, and the more I listened to it, the more upset I became. Ugh.
But I still watch The Daily Show.
Hey, are you running my code, by any chance?
It's unfortunate that the "series of tubes" phrase is what everybody pounced on. Network connections have been referred to as "pipes" for years; it's a useful metaphor.
The trouble is, Stevens didn't use the metaphor correctly. I was going to post a reply essentially agreeing with you about the "series of tubes" thing, but then I actually listened to the rest of what he said, and it quickly became clear that he really doesn't understand what he's talking about, but he can make it sound like he is fighting for rights of the average consumer while advocating a policy of laissez-faire.
Some of the juicier bits:
And what happens to your own personal Internet? I just the other day got... an Internet was sent by my staff at 10:00 in the morning on Friday; I got it yesterday. Why? Because it got tangled up with all these things that are going on the Internet commercially! [...]
And here we have this one situation where enormous entities want to use the Internet for their purpose, to save money doing what they're doing now. They use FedEx, they use delivery services, they use the mail, they deliver in other ways, but they want to deliver vast amounts of information over the Internet, and again, the Internet is not something you just dump something on - it's not a big truck, it's a series of tubes. And if you don't understand those tubes can be filled, and if they're filled, when you put your message in it gets in line; it's gonna be delayed by anyone that puts into that tube enormous amounts of material - enormous amounts of material. [...]
Maybe there is a place for a commercial net. But it's not using what the consumers use everyday. It's not using the messaging service that I think is essential, I think, to small business, it's essential to our operation of families - the whole concept is that we should not go into this until someone shows that there's something that's been done that really is a violation of Net Neutrality that is you and me.
Stevens is saying that commercial use of the Internet (to do things like offer video streaming to paying customers) is clogging up the Internet, causing the rest of us (individuals, families, small businesses) who rely on the Internet for communication to have our e-mail delayed just like his was, and that maybe the companies who want to offer these kinds of services should go build their own network and leave ours alone. After all, the Department of Defense has its own network - why? Because they can't afford to rely on the same Internet the rest of us use, in case it should be clogged up by whatever it is that big corporations our polluting the Internet with.
So what's the solution to this? The solution is to not pass legislation to require Network Neutrality, because there haven't been any actual violations of Network Neutrality yet - or rather, there haven't been any that directly affect "you and me". Instead, we should say "no" to the greedy corporations that support NN, and revisit the issue if not having NN starts causing problems that Stevens can actually understand.
Unbelievable.
I want this man out of my Senate. I wish he could be kicked out for this, but if he loses his seat for lying about the bribes he's been taking instead, I guess that will have to do.
Let's get real here.
Firefox gained visibility and market share after being ported to Windows and not before.
Uhh, if I'm not mistaken, Firefox has always been available for Windows, since its inception (as "Phoenix"). Netscape Navigator (its predecessor) has always supported Windows as well (although of course it was Windows 3.1 with a third-party TCP/IP stack back in 1994).
Wrong server. Try this one.
Since invention of flash video we are free from unnecessary plugins and related burden.
Apparently you're mistaken about which plugins are unnecessary. Microsoft has decided that in addition to Flash, Silverlight is now also necessary.
I'm getting the same error on Mac OS X 10.4 in both Firefox and Safari, as well as Safari on Windows Vista. In Firefox on Windows, it asks me to install Silverlight and the Move Networks plugin.
Presumably there would be balconies, and although it might be a slightly longer walk than a few flights of stairs, you could definitely get out of the building.
The term you're looking for there is 100% markup.
...those who halted BAD legislation by not just voting against more government intrusions into the market, but...
While you're absolutely right about most of what you said, I just wanted to point out that "government intrusions into the market" aren't always bad. The antitrust case against Microsoft (that Bush aborted, but did at least force them to back down on some of their abusive tactics) was a government intrusion into the market. Network Neutrality is government intrusion into the market; note the FCCs investigation of Comcast breaking BitTorrent. There are plenty of other areas I desperately WANT the government to meddle in, and it frustrates me that both major parties are so beholden to corporate interests.
Raw unbridled capitalism doesn't work; the free market must be tempered, or we'd end up with the whole world owned by one big huge monopoly. Unfortunately, our government has not been doing its job well, but just because they usually manage to botch things whenever they interfere doesn't mean the alternative isn't even worse.
Every senator's vote counts the same. Biden is already in the senate, so if he's elected VP the real difference maker will be whoever replaces his old senate seat.
What are the odds that Sen. Biden's constituents will elect whoever Biden recommends to succeed him, i.e. another Democrat? It actually does tip the scale slightly.
They Bush administration got exactly what they wanted in Afghanistan and Iraq,
No, what they wanted was for the Iraqi people to greet us as liberators, and to begin withdrawing our troops from a peaceful democratic Iraq by around 2004. Oh, and did I mention the profits from Iraq's oil sales were supposed to bankroll the whole thing, so it wouldn't cost the American taxpayer anything? Of course most of us would call this plan criminally stupid, but that was the plan.
they got exactly what they wanted with the Patriot Act
Yes, I wonder how long they'd had that bit of legislation sitting around waiting for the right opportunity.
the FISA bill, wiretapping,
No, they just didn't want anyone to find out they were doing it. They're happy with the recent modification to FISA, of course, but their intention was to simply ignore the law, not change it.
no-fly lists,
I'm not sure how really this benefits anybody. Although Ted Kennedy getting on the list was pretty funny.
they got exactly what they wanted on things like the bankruptcy bill,
I can't speak to this; I'm sure you're right.
now they even got Poland and the Czech Republic to agree to the missile shield, even though it doesn't even work and in both countries the majority of the population are opposed to the project.
Yeah, that was a neat piece of diplomacy. Of course it doesn't work, but that was never the goal of the project - the goal was to line somebody's pockets. Any actual security benefits are icing on the cake.
If you consistently get what you want for 7 years, that's not exactly incompetence.
If they'd gotten exactly what they wanted, Bush's approval rating would be a bit higher than 30%. We came awfully close to electing John Kerry in 2004 even though nobody (including Democrats) actually liked him. Yes, it's a testament to the genius of Karl Rove that Bush managed to get reelected anyway, and that we haven't yet found evidence of deliberate vote tampering by Diebold, but it was a lot closer than they would have liked.
Here you go!
They wouldn't be very good delusions if I had to admit I was wrong about them!
Only if there are exploitable holes in the kernel. For anything else, you can just restart the service.
But there are.
How frequently? And are they DoS or privilege elevation attacks? I might be willing to risk the former, as long as I'm safe from the latter, and neither is possible without first compromising a daemon (on a box without user logins).
And if security updates worry you, a 13 month uptime is a bad idea.
Only if there are exploitable holes in the kernel. For anything else, you can just restart the service.
That's a reasonable idea... except that users have learned that "https" is synonymous with the padlock icon. The padlock is different in different browsers (Safari shows it in the corner of the titlebar, for example), and I think users are more likely to look at the URL than the padlock icon. Obviously this could change, if the padlock icon were made more prominent (and consistent across browsers) and users were retrained. In the mean time, most users (who are savvy enough to know anything about encryption at all) won't notice the difference between the real https://www.paypal.com/ (with the padlock icon to show the cert is signed by a trusted CA) and a fake https://www.paypal.com/ (without the padlock icon because it's a phishing site on a free wifi connection with a malicious DNS server).
Of course, none of this prevents a malicious network from redirecting http://www.paypal.com/ to https://www.paypal.com.phishing.example.com/ or other tricks that require the user to be paying less than 100% attention.
Fedora is NOT appropriate for a production environment, period.
This is entirely dependent on what your production environment does, what its requirements are, and what your server infrastructure looks like. Not every environment has the problem where switching out OS versions is a big deal or results in downtime.
Alright, fair enough... but replacing the OS every year is definitely not what comes to mind when I think "production environment", even if you can do so without downtime. YMMV.
Sorry, that won't help. Imagine some evildoer sets up an open wifi network with SSID "linksys", and configures their DHCP server to point to their own DNS server. Their DNS server is set to return valid results for everything except bankofamerica.com, for which it will return almost (but not quite) the correct results.
"But wait," you say, "I don't have to use their DNS servers, I can just set my client to use DNS servers I trust even though I'm using the IP address assigned by their DHCP server!" Fine, but average users won't (and shouldn't) do this, and the malicious network can also reroute all outbound traffic on port 53, regardless of intended destination, to their own server anyway.
No, authentication can't rely on the same Internet that's used to connect to the site. That's why SSL works: your browser is already pre-configured with a list of trusted CAs, so any cert signed with a CA that your browser didn't already know about isn't trusted.
the certificate is also available to everybody who wants to be MITM, since it's part of the firmware of every router.
Could easily be made more difficult to find. But if that's the case, why not vanilla HTTP?
No, actually this is a very valid point. Someone could extract the private key from the router's firmware (or from a firmware update image downloaded from Linksys' web site), and then they'd have the key used by all Linksys routers. Off the top of my head I'm not sure how this could be exploited... I guess you could set up a MITM attack between the IT guy and the router, so he'd log into your fake site with the real router's admin password...
Which is exactly what HTTP does, it provides you with a false sense of security (as in, no warnings at all),
You don't get it. HTTP doesn't provide a false sense of security, because HTTP doesn't provide ANY sense of security. It doesn't pretend to be secure. It never has. In fact, the first time you submit a form over HTTP, you'll get a warning about how insecure it is.
Nobody is saying "no warnings = secure". We're saying "the little padlock icon that indicates the site is secure = secure, unless there's a warning". If you eliminate the warnings for self-signed certs, then you eliminate most of the security of HTTPS (it'll still protect you from packet sniffing, but not MITM).
You seem to have included an extra 0 in your price.
These guys will sell an SSL cert for $15, or $12/yr if you buy 5 years. I'm not sure who's offering $10, but somebody probably is. They verify your e-mail address and phone number, and take a recording of your voice over the phone. None of this proves anything, but it does make you a bit easier to track down in case you set up a phishing site.
You might want to add that Mom and pop users should never go to a website using basic http. Since many phishing sites don't bother with https. The ones that do use https could set up a domain name like www.phish.com/paypal and get their certificate signed by a thirdparty. Now those Mom and pop users can go to the https site will a full sense of security. Do you think that mom and pop users will tell the difference? I know my Mom wouldn't.
Mom and Pop should keep a bookmark for secure sites they visit, such as PayPal or their bank, make sure the URL starts with "https", and always use the bookmark to go to the site, never click a link from an e-mail message.
Yes, somebody could get a certificate for https://www.phish.com/paypal, but Mom & Pop's bookmark will never take them there. If they're just typing in "www.paypal.com" (without the https), then a man-in-the-middle attack could redirect them to https://www.phish.com/paypal.
Why are we being told that we must get permission from a "trusted" authority in order to "legitimately" use encryption?
Because a certificate signed by a trusted authority is the only way to eliminate spoofing and man-in-the-middle attacks, such as those that are possible with a DNS exploit, or setting up an open wireless network and setting the SSID to "linksys".
I know of a company that sells caching proxy servers that support HTTPS; their clients use them on corporate LANs and they can see the contents of encrypted HTTPS sessions. This lets them do things like scan outgoing messages for sensitive information to detect when an employee might be using GMail to e-mail confidential documents to someone, even though the connection is encrypted. What makes this possible is, the client's IT department configures everyone's browsers to accept this company's own fake CA key, so they can spoof all HTTPS sites with a self-signed certificate. So it only works in a corporate LAN environment - and the only reason it doesn't work everywhere else too is because SSL certs have to be signed by a trusted CA.
The only possible alternative is to do what SSH does: exchange keys on the first connection, and just assume that you're probably on a trusted network the first time you log in. Then you get a security warning if the server's public key changes. Most of the time this is good enough, but when it comes to online banking, I'd rather be sure.
How are they doing this?
They're using the automatic update functionality that was built into Firefox 2.
Did they ask for consent?
I don't recall whether you're asked about this at installation or not. Perhaps not, but there is an option in Preferences.
Are they installing something without permission?
No, in fact they're not even asking permission to install something, they're just alerting the user that the user needs to take action, because if they don't, after December any newly-discovered security holes will not be patched.
If Mozilla can do this sort of thing, doesn't that SCREAM spyware/trojan vulnerability?
Not really, no.