Dude, you need grouped, colored tabs on the side instead of the top. Like the parent, I always have 20+ tabs open, often peaking at 80+ when doing research. (E.g. open children from a search - those tabs now in a collapsible group. repeat.) And yes, I ctrl+tab a lot for switching back and forth between a small subset of tabs.
[FF10 startup] takes so long that I have time to grab a coffee
I'm sorry if you have that slow of a work desktop. Every advanced user needs at least 2 monitors and a decent box, if they want to be productive on the computer.
My current instance of 3.6 has been running for about 2 weeks. Using 500G resident, while the plugin-container is using 900M resident. I restart FF every few weeks to wipe flash cookies and reduce memory.
You could take your [soon to be] inexpensive 3D printer, and program the robot arm to hold a pen, then 'write' out the text just like old plotter machines did. With a fine pen, small text and different fonts could be written. Advanced versions with multi-color pens could draw (or 'dot') images. (Or make/adapt your own head capable of spraying jets of ink.)
Though once you post to your/. journal about the awesome 2D plotter you built from your 3D makerbot, "they" will know the print came from you.
(I suppose you should also grind your own tree fibers or recycle your own paper. Someday each ream of paper may have a slightly notched edge used as a unique identifier.)
Sometimes the cash payer gains 2 cents! "you get a total of 2.97, rounded to 2.95"
Paying electronically uses the exact amount.
Problem with Americans is, they'll try very hard to make their total order gain 2 cents every time. (Both the buyer and the seller will play this game, at first.)
It's true. All vaccine refusers are selfish and put the entire population at risk. (Of course exceptions are made for the few cases of actual vaccine allergies.)
You're correct in that I was unaware just how profitable Prevnar (and the like) is for Big Pharma.
I didn't mean to propose there was no money to be made by the vaccine maker, just that there is much _more_ incentive for Big Pharma to push their more profitable drugs by wining and dining doctors. Of course, for these money-making pneumococcus vaccines like Prevnar (Wyeth), Prevnar13 (Pfizer), and Synflorix (GSKline), Big Pharma wines and dines states and federal governments to buy them. (I didn't realize how much until I looked it up, thanks for the info.)
In responding to the AC, I don't feel doctors are pushing vaccines because of kickbacks.
It should be possible to perform a statistically significant random sampling of the fields in question - from the fringes to the center - and know for sure who is lying about cross-pollination and who is wrongly getting fucked my Monsanto.
No, vaccines are heavily subsidized and made in massive quantities to keep the cost down. Big Pharma wants to sell you drugs that you must keep consuming, not a one-to-three dose vaccine that lasts your lifetime.
I don't think a lot of Jehovah's Witnesses are filling up waiting rooms, only to say "no thanks, I don't want any treatment, especially not a vaccine".
So no, the religious already opted out. These vaccine refusers are being selfish by putting the entire population at risk by not vaccinating their kids.
Yup, if you want to have a "flashlight that only you can see" like the submitter, you can swap out the white LEDs in a flashlight with IR LEDs, then use a digital camera viewfinder / cellphone camera to "see".
(Obviously the backlit screen would give you away if you're trying to be sneaky, but then there's IR goggles and other fun toys.)
You're wrong because DNSSEC is backwards compatible. The authoritative servers can sign TPB.org tomorrow, and until people use DNSSEC-enforced DNS resolvers, it won't matter. Your regular old DNS resolver will simply ignore the RRSIG records and the signed hierarchy. Now if you're a Comcast user, you will be able to validate the response: meaning visiting TBP.org won't send you to a bogus site because the A record can't be poisoned.
Exactly, SOPA DNS blocking won't be limited to recursive resolvers at ISPs, it will be implemented at the registry level. VeriSign will get the order and remove the name servers for ThePirateBay.com from the.com zone file.
Re:And how can I use it on my BIND server?
on
Comcast DNSSEC Goes Live
·
· Score: 5, Informative
This takes a few steps:
* Generate keys - a zone-signing key (ZSK) and a key-signing-key (KSK) - usually a pair of keys for each zone
* Sign your zones - well, the records inside them
* Now use your zone.signed file as the zonefile that Bind serves up
Next, once you query your server and everything looks good, you need to ship either the DNSKEY record or DS (digest of the key) to your registrar *. They will ship that to the registry, which signs either your key or digest. Most gTLDs (.com/.org) require only DS records, while ccTLDs (.de/.eu) require DNSKEY records.
Then, as long as you're using a DNSSEC aware resolver, you can test the hierarchy of the signed zone:
dig @149.20.64.21 comcast.com any +dnssec
Look for the "ad" bit set in the Flags section. If you just want to see the keys in this example, simply limit dig to that RR type:
DNSKEY 257 is the key-signing-key, which was sent to the registry, while DNSKEY 256 is the zone-signing key. Dig +trace to see the DS records at the.com registry - they host two different digests for the same key tag/id (35356):
dig comcast.com dnskey +multiline +dnssec +trace
You'll often notice zones with multiple keys - you must support more than one key at a time to enable key rotation. E.g. You, as an authoritative server operator, may wish to rotate your zone-signing key fairly often, while you may wish to rotate the key-signing-key once per year. Each registry decides the expiration of the key or digest they are storing.
* = Not all registrars support DNSSEC; once you sign your domain you cannot transfer the domain to a non-DNSSEC enabled registrar. Either you have to un-sign it or transfer it somewhere else.
There is no certificate authority involved, as the DNS hierarchy contains the signature chain, from the root servers, to each TLD, to each domain. One proposed use of DNSSEC is to publish an SSL certificate public key -- then no Certificate Authorities are required! A browser can use the DNSSEC validated response to match the public key (or more likely, fingerprint) to the web server it is connecting with. You can already use DNS to publish SSH key fingerprints, now you can sign that record for even more trust.
One use for OSGi on a web server is to host many separate applications. Currently, each application bundle (.war file) includes their own dependencies, but with an OSGi manifest, the app server can supply the dependencies so each application can be tiny - only include the resources it needs, not duplicate copies of shared.jar files. This saves a ton of memory in this situation. Additionally, hot-deploying of each application is much easier. Virgo is one such OSGi app server.
However, if your production app servers are only serving up your one production app, OSGi doesn't seem to help much (from my limited understanding), assuming you still have hot-deploy and session-replication and all the other clustered good stuff.
i use IE in virtualbox in linux to watch videos on youtube...
Sorry but, that is retarded.
FlashPlayer "Square" hasn't crashed on me in 3 years! Even when it was a Labs project in alpha, it was stable on x64. Granted, I use NoScript to block 3rd party scripts (I temp whitelist the current domain) so that blocks most Flash ads and other junk from loading.
Remove whatever flash came with your distro, throw libflashplayer.so in:/usr/lib/mozilla/plugins/ and restart FF. `ps aux | grep plugin-container` might use a lot of ram after a long browsing session, but it's super-stable and has been for a long time.
Hard links are awesome, but they're limited to a per-file basis. SDFS and other block-level de-dupers will only store unique blocks. E.g. storing multiple virtual machine images -- as each image is one huge file, hard links do nothing.
Three HTC phones allow rouge apps (without the defined permissions) to record phone calls and send SMS! The SMS example is neat as they broadcast an intent with the phone number in it; then stock apps on the phones actually send the message. Also, the Samsung Epic 4G allows rouge apps to follow a similar method to wipe the phone to factory defaults! Most of the exploits are in the default packages that come with the bloated firmware from either the device maker or carrier. The Google Nexus phones were the safest as they had the fewest apps installed.
From the PDF:
"...by simply including a premium number in the intent, the built-in app will start sending SMS messages to this premium number!"
"For example, the explicit leak of CALL PHONE capability in Samsung Epic 4G involves passing a component a “technical assistance” phone number, which it calls after considerable processing. Similarly, all the tested HTC phones export the RECORD AUDIO permission, which allows any untrusted app to specify which file to write recorded audio to without asking for the RECORD AUDIO permission."
You can't trust GoDaddy or any one else to generate your private key! Thus it would no longer be private. Granted, more checking besides Whois data should happen for the ridiculous prices the CAs demand. Also, the owner of the private key obviously knows the public key, and when they install the CA generated certificate along with the keypair, the cert must match the public key.
It's great the CA/Browser Forum, made up of the most prominent Certificate Authorities, is taking steps to standardize their rules for certificates. Many rules in the PDF are technical and exact, which will help with software enforcement.
However, even this necessary step of not issuing public certs for non-FQDN hostnames and reserved IP addresses won't take effect until late 2016!
As of the Effective Date of these Requirements, prior to the issuance of a Certificate with a subjectAlternativeName extension or Subject commonName field containing a Reserved IP Address or Internal Server Name, the CA SHALL notify the Applicant that the use of such Certificates has been deprecated by the CA / Browser Forum and that the practice will be eliminated by October 2016. Also as of the Effective Date, the CA SHALL NOT issue a certificate with an Expiry Date later than 1 November 2015 with a subjectAlternativeName extension or Subject commonName field containing a Reserved IP Address or Internal Server Name. Effective 1 October 2016, CAs SHALL revoke all unexpired Certificates whose subjectAlternativeName extension or Subject commonName field contains a Reserved IP Address or Internal Server Name.
If we're going to spend time and resources updating our browsers and operating systems to enforce some of these requirements and properly query certificate revocation lists, we may as well throw out the entrenched CA model and try something else.
Slashdot Mirror
Dude, you need grouped, colored tabs on the side instead of the top. Like the parent, I always have 20+ tabs open, often peaking at 80+ when doing research. (E.g. open children from a search - those tabs now in a collapsible group. repeat.) And yes, I ctrl+tab a lot for switching back and forth between a small subset of tabs.
Use this for 3.6.x : https://addons.mozilla.org/en-US/firefox/addon/tab-kit/
This for 4.x+ : https://addons.mozilla.org/en-US/firefox/addon/tabkit-2nd-edition/ (not nearly as feature complete)
[FF10 startup] takes so long that I have time to grab a coffee
I'm sorry if you have that slow of a work desktop. Every advanced user needs at least 2 monitors and a decent box, if they want to be productive on the computer.
My current instance of 3.6 has been running for about 2 weeks. Using 500G resident, while the plugin-container is using 900M resident. I restart FF every few weeks to wipe flash cookies and reduce memory.
You could take your [soon to be] inexpensive 3D printer, and program the robot arm to hold a pen, then 'write' out the text just like old plotter machines did. With a fine pen, small text and different fonts could be written. Advanced versions with multi-color pens could draw (or 'dot') images. (Or make/adapt your own head capable of spraying jets of ink.)
Though once you post to your /. journal about the awesome 2D plotter you built from your 3D makerbot, "they" will know the print came from you.
(I suppose you should also grind your own tree fibers or recycle your own paper. Someday each ream of paper may have a slightly notched edge used as a unique identifier.)
Sometimes the cash payer gains 2 cents! "you get a total of 2.97, rounded to 2.95"
Paying electronically uses the exact amount.
Problem with Americans is, they'll try very hard to make their total order gain 2 cents every time. (Both the buyer and the seller will play this game, at first.)
Also, Australia no longer has the penny.
It's true. All vaccine refusers are selfish and put the entire population at risk. (Of course exceptions are made for the few cases of actual vaccine allergies.)
You're correct in that I was unaware just how profitable Prevnar (and the like) is for Big Pharma.
I didn't mean to propose there was no money to be made by the vaccine maker, just that there is much _more_ incentive for Big Pharma to push their more profitable drugs by wining and dining doctors. Of course, for these money-making pneumococcus vaccines like Prevnar (Wyeth), Prevnar13 (Pfizer), and Synflorix (GSKline), Big Pharma wines and dines states and federal governments to buy them. (I didn't realize how much until I looked it up, thanks for the info.)
In responding to the AC, I don't feel doctors are pushing vaccines because of kickbacks.
It should be possible to perform a statistically significant random sampling of the fields in question - from the fringes to the center - and know for sure who is lying about cross-pollination and who is wrongly getting fucked my Monsanto.
No, vaccines are heavily subsidized and made in massive quantities to keep the cost down. Big Pharma wants to sell you drugs that you must keep consuming, not a one-to-three dose vaccine that lasts your lifetime.
I don't think a lot of Jehovah's Witnesses are filling up waiting rooms, only to say "no thanks, I don't want any treatment, especially not a vaccine".
So no, the religious already opted out. These vaccine refusers are being selfish by putting the entire population at risk by not vaccinating their kids.
Yup, if you want to have a "flashlight that only you can see" like the submitter, you can swap out the white LEDs in a flashlight with IR LEDs, then use a digital camera viewfinder / cellphone camera to "see".
(Obviously the backlit screen would give you away if you're trying to be sneaky, but then there's IR goggles and other fun toys.)
They service law enforcement agencies around the world, as well as anyone interested in buying your data.
Right, but no one wants to filter helium from water, they want to filter all sorts of other stuff from water.
But if the membrane is dry, perhaps this could make kick-ass graphene blimps!
Too long, but I still read it!
Just a shout out to thank Carl Malamud for very detailed answers. Thanks also /. Timothy for setting up the interview.
As this article has very few comments, which I assume is because the answers were so well defined (:, it'd be great to see the number of page views.
You're wrong because DNSSEC is backwards compatible. The authoritative servers can sign TPB.org tomorrow, and until people use DNSSEC-enforced DNS resolvers, it won't matter. Your regular old DNS resolver will simply ignore the RRSIG records and the signed hierarchy. Now if you're a Comcast user, you will be able to validate the response: meaning visiting TBP.org won't send you to a bogus site because the A record can't be poisoned.
Exactly, SOPA DNS blocking won't be limited to recursive resolvers at ISPs, it will be implemented at the registry level. VeriSign will get the order and remove the name servers for ThePirateBay.com from the .com zone file.
You can fairly easily sign your zones using Bind: http://www.bind9.net/manual/bind/9.3.2/Bv9ARM.ch04.html#DNSSEC
This takes a few steps:
* Generate keys - a zone-signing key (ZSK) and a key-signing-key (KSK) - usually a pair of keys for each zone
* Sign your zones - well, the records inside them
* Now use your zone.signed file as the zonefile that Bind serves up
Next, once you query your server and everything looks good, you need to ship either the DNSKEY record or DS (digest of the key) to your registrar *. They will ship that to the registry, which signs either your key or digest. Most gTLDs (.com/.org) require only DS records, while ccTLDs (.de/.eu) require DNSKEY records.
Then, as long as you're using a DNSSEC aware resolver, you can test the hierarchy of the signed zone:
dig @149.20.64.21 comcast.com any +dnssec
Look for the "ad" bit set in the Flags section. If you just want to see the keys in this example, simply limit dig to that RR type:
dig @149.20.64.21 comcast.com dnskey +multiline +dnssec
DNSKEY 257 is the key-signing-key, which was sent to the registry, while DNSKEY 256 is the zone-signing key. Dig +trace to see the DS records at the .com registry - they host two different digests for the same key tag/id (35356):
dig comcast.com dnskey +multiline +dnssec +trace
You'll often notice zones with multiple keys - you must support more than one key at a time to enable key rotation. E.g. You, as an authoritative server operator, may wish to rotate your zone-signing key fairly often, while you may wish to rotate the key-signing-key once per year. Each registry decides the expiration of the key or digest they are storing.
* = Not all registrars support DNSSEC; once you sign your domain you cannot transfer the domain to a non-DNSSEC enabled registrar. Either you have to un-sign it or transfer it somewhere else.
There is no certificate authority involved, as the DNS hierarchy contains the signature chain, from the root servers, to each TLD, to each domain. One proposed use of DNSSEC is to publish an SSL certificate public key -- then no Certificate Authorities are required! A browser can use the DNSSEC validated response to match the public key (or more likely, fingerprint) to the web server it is connecting with. You can already use DNS to publish SSH key fingerprints, now you can sign that record for even more trust.
One use for OSGi on a web server is to host many separate applications. Currently, each application bundle (.war file) includes their own dependencies, but with an OSGi manifest, the app server can supply the dependencies so each application can be tiny - only include the resources it needs, not duplicate copies of shared .jar files. This saves a ton of memory in this situation. Additionally, hot-deploying of each application is much easier. Virgo is one such OSGi app server.
However, if your production app servers are only serving up your one production app, OSGi doesn't seem to help much (from my limited understanding), assuming you still have hot-deploy and session-replication and all the other clustered good stuff.
When he's badly injured and uninsured and taken to the emergency room and I pay for it. That's where the law helps me anyway.
i use IE in virtualbox in linux to watch videos on youtube...
Sorry but, that is retarded.
FlashPlayer "Square" hasn't crashed on me in 3 years! Even when it was a Labs project in alpha, it was stable on x64. Granted, I use NoScript to block 3rd party scripts (I temp whitelist the current domain) so that blocks most Flash ads and other junk from loading.
Download the tarball: http://get.adobe.com/flashplayer/otherversions/
Remove whatever flash came with your distro, throw libflashplayer.so in: /usr/lib/mozilla/plugins/ and restart FF. `ps aux | grep plugin-container` might use a lot of ram after a long browsing session, but it's super-stable and has been for a long time.
Hard links are awesome, but they're limited to a per-file basis. SDFS and other block-level de-dupers will only store unique blocks. E.g. storing multiple virtual machine images -- as each image is one huge file, hard links do nothing.
Right, big deal, the app calls the browser to do something in the background while the screen is locked. However, you may be scared after reading the following PDF Systematic Detection of Capability Leaks in Stock Android Smartphones -- I was!
Jump to page 9 for the table.
Three HTC phones allow rouge apps (without the defined permissions) to record phone calls and send SMS! The SMS example is neat as they broadcast an intent with the phone number in it; then stock apps on the phones actually send the message. Also, the Samsung Epic 4G allows rouge apps to follow a similar method to wipe the phone to factory defaults! Most of the exploits are in the default packages that come with the bloated firmware from either the device maker or carrier. The Google Nexus phones were the safest as they had the fewest apps installed.
From the PDF:
"...by simply including a premium number in the intent, the built-in app will start sending SMS messages to this premium number!"
"For example, the explicit leak of CALL PHONE capability in Samsung Epic 4G involves passing a component a “technical assistance” phone number, which it calls after considerable processing. Similarly, all the tested HTC phones export the RECORD AUDIO permission, which allows any untrusted app to specify which file to write recorded audio to without asking for the RECORD AUDIO permission."
You can't trust GoDaddy or any one else to generate your private key! Thus it would no longer be private. Granted, more checking besides Whois data should happen for the ridiculous prices the CAs demand. Also, the owner of the private key obviously knows the public key, and when they install the CA generated certificate along with the keypair, the cert must match the public key.
It's great the CA/Browser Forum, made up of the most prominent Certificate Authorities, is taking steps to standardize their rules for certificates. Many rules in the PDF are technical and exact, which will help with software enforcement.
However, even this necessary step of not issuing public certs for non-FQDN hostnames and reserved IP addresses won't take effect until late 2016!
As of the Effective Date of these Requirements, prior to the issuance of a Certificate with a subjectAlternativeName
extension or Subject commonName field containing a Reserved IP Address or Internal Server Name, the CA
SHALL notify the Applicant that the use of such Certificates has been deprecated by the CA / Browser Forum and
that the practice will be eliminated by October 2016. Also as of the Effective Date, the CA SHALL NOT issue a
certificate with an Expiry Date later than 1 November 2015 with a subjectAlternativeName extension or Subject
commonName field containing a Reserved IP Address or Internal Server Name. Effective 1 October 2016, CAs
SHALL revoke all unexpired Certificates whose subjectAlternativeName extension or Subject commonName field
contains a Reserved IP Address or Internal Server Name.
If we're going to spend time and resources updating our browsers and operating systems to enforce some of these requirements and properly query certificate revocation lists, we may as well throw out the entrenched CA model and try something else.
Just because someone compiled a kexec kernel module doesn't mean the kernel booted from the signed bootloader will allow it!
This prevents hope of booting something else:
http://forum.xda-developers.com/showpost.php?p=19707511&postcount=275
Great insight. It will be sad to look back on our current Internet in 50 years and realize how free it was.
Are there business or technical reasons you do not want to open the source code for WhisperCore or any of the sub-projects like WhisperMonitor?