The GP was not correcting capitalization, he was emphasizing that the GGP had omitted the word "are" from the URL. The capitalization was merely to call attention to the correction, which was wise since apparently some people are incapable of reading long sequences of concatenated words, as you have so aptly demonstrated.
Actually, IE, Office, and Windows blow. Many of Microsoft's other commercial technologies are genuinely competitive on merit alone, if not actually ingenious. The XBOX, their gaming division, and their mice, for example, though not without flaws, are generally high quality products that would succeed even without the Microsoft brand name.
Microsoft, as a corporate citizen, is worthy of the spite it generates on Slashdot. Some of its flagship products are also worthy of that spite, but universally condemning every employee and product associated with them is closed minded. Even one's most hated adversary generally has some redeeming qualities, and failing to recognize them places YOU at the disadvantage.
In short, I agree with your statement, but thought it worth clarifying that not all of their good ideas die before seeing the outside world.
Have you ever heard the Democrat or Republican figureheads that have radio/television talk shows? Talk about a fanciful view of the world that they firmly believe is the truth. If my observation was but a third of what one could regularly hear on FOX or Rush about the candidate, you might have a point, but it wasn't, so you don't. I will cop to not making it excruciatingly clear that I do not actually believe in such a conspiracy theory, but such a made for TV movie plot should have been a pretty obvious giveway.
I was making an observation along the lines of the Lincoln-Kennedy "similarities" (http://fusionanomaly.net/kennedylincolnsynchronicities.html), not a political observation. Only a nutjob would take them seriously (based on the reasons stated in my post, though some much more solidly grounded conspiracy theories - based on more than "what's in a name" - are well within the realm of possibility), though at a sub-conscious level these factors MAY have impacted some voter's decision processes. I'm not the only person to have mentioned the Obama-Osama "similarity", and I'm certainly not the only sane person to imagine that some people would vote against him based solely on that information.
So, yeah, my ability to separate reality from fiction is working just fine. How's yours?
I voted Obama, so please see this for the fanciful observation it is.
I've had this sneaky feeling that there were some puppet-masters of the ancient global conspiracy variety that manufactured the Obama candidate. Kind of a blind terrorist fear gauge. His first name sounds like Osama - differing by one letter. His middle name IS Hussein, the last name of a murderous dictator and terrorist collaborator, and then he chooses a running mate with the last name Biden, which is the first 2 and last 3 letters of Bin-Laden, one of the most notorious terrorists in the world today. Then, you sprinkle a history dotted with possible association with religion and governments themselves strongly associated with terrorists (at least in the court of public opinion) and it just seems like too many coincidences.
Stacking the deck against him like that, and considering the huge margin of victory, especially considering the historic snubbing of black presidential candidates, and you have to come to the conclusion that people were, sub-consciously or otherwise, willing to overlook a lot in order to undo the work of the last 8 years.
I'm Libertarian, and usually side with the Reps against the Dems, and I know that a Democratic Congress is probably just as responsible for this mess as the Republican President, but it was done on his watch, and quite frankly, the buck stops there. That, and he personally backed a number of these policies rather than simply being over-ridden by Congress.
We've done more irreparable harm to our reputation world wide in the last 8 years than at any other time. Republicans are usually acknowledged as good at foreign policy and bad at domestic policy when the pundits start talking, but the last 8 years saw massive mis-management of both. Again, I am talking about popular opinion, and not necessarily my personal views, though I do agree with much of it.
My point of contention is where you claimed that MitM was just as invisible as eavesdropping. I did not argue with your assessment of the technical skill required (though there are many more points in a network where you can compromise a system that allows for eavesdropping - like a managed switch - that you cannot use for MitM, making MitM at least some amount more difficult). However, the fact that some networks will have IDS that looks for ARP poisoning and ICMP redirect attacks means that being noisy makes MitM considerably riskier. And malware, though possible to consider it MitM, is outside the scope of this argument as at that point you may as well just use a keylogger, making just about any network level countermeasure useless.
That's almost enough to send a spam to every person on the planet twice. Even if some have more than one email address, there are a sufficient number who do not have an email address to balance that out. So I can only assume one (or both) of 2 things:
They are spamming for multiple products per day.
They are brute-forcing email addresses rather than spamming from a list of known good addresses.
Either way, that's a tremendous amount of burden on the tubes. Quite possibly more spam from this one ring than all the legitimate messages in the same period.
Seems like a significant cost to legitimate businesses, and yet instead of a campaign of terror a la RIAA vs. the Pirates (another group of folks supposedly causing "significant losses" to an industry), companies pay ridiculous sums for spam filtering software.
On any network I can eavesdrop on, I can just as invisibly MitM you without being noticed if the certificate is self-signed anyway.
Not to nitpick, but this is patently false. To MitM, you HAVE to be in-band, which is far from invisible in the vast majority of cases. To eavesdrop, you can be out of band, which is significantly more difficult to detect, and easier to achieve (practically, theoretically, and technically).
Other than that, I mostly agree with the rest of your post.
Sniffing and MITM are magnitudes apart in difficulty. Yes, if you have COMPLETE control of the network, they may be trivially different, but if you are sniffing a wireless connection you don't control, it requires significantly more effort (and risk) to do ARP poisoning so that you become the gateway across which all traffic flows as opposed to simply listening in.
For a wired network, it is easier to SPAN a port and listen passively than it is to find a way to make a hardware based router do a MITM, or (again) do ARP spoofing so that your computer that has all that MITM software acts as a gateway.
So, yes, if you already have the traffic flowing through a device which can load some MITM tool, they are just a button press apart. But the reality is that whether the network is private or public, it is much more difficult to ARP poison or own a vital piece of network equipment (and install the proper software on said equipment) than it is to just flood a MAC table or create a SPAN port on a switch and listen in passively.
Now, if you are the NSA or some other TLA agency, it might be different, but to my knowledge all of the monitoring equipment that they place at ISP is out of band - which is to say that it listens passively and cannot manipulate the traffic. So again, though using the sniffing and MITM software may be almost identically difficult, setting up the circumstanced to enable the use of one over the other is not.
Or am I missing the MITM software that comes stock in a Cisco firewall or router?
As far as the use of self-signed certs, I think that it is far better than plain-text, but yes, there needs to be more awareness on the part of the users as well as the site operators. The infamous "lock icon" should be locked and green for trusted certs, unlocked for unencrypted traffic, and locked but red or yellow (and possibly flashing for a brief interval after each page load to draw attention to it), and users educated on what exactly the risk is when the lock is yellow or red.
Optionally, users can be trained on the difference between encrypted and authenticated and there can be a lock icon for encrypted, and a separate icon for authentication. Either way, it comes down to user education.
Another option is to have the self signed website provide an image that displays the hash for a self-signed cert, so that the user can check it against the cert being offered. If that site is being targeted, the MITM can create his own image, sure, but if it is simply an automated tool like most of the ones today, it would not know what the image name was, or if there was one, for it to replace in transit. Again, I use an image so that an automated tool can't just look for a character sequence that matches the fingerprint for the site's cert and replace it with its own.
Actually, because of the lack of a "but" it can be construed as a contrasting comparison - to wit: "we're good, therefore/because we are not psychic". Most readers will realize that the true intent was "we're good, BUT we are not psychic," but the lack of a conjunction does leave it slightly open to interpretation.
I'm going to start slipping suspicious phrases and key words into every conversation, email, post, and letter. I will simply give them so much chaff to sort through that they'll either give up, or miss something truly worthwhile. If I start now, I'll have worn them down by the time I really want to say something I'd rather keep secret.
Example:
I was thinking of using a _plutonium_ based _weapon of mass destruction_ in a _terrorist attack_ on _President Bush_. Big words would probably do.
Gah, my bad - I meant intersection (of the two) and the FE set were the same, or nearly so. Not sure what caused me to invoke "union". I fail at set theory...
I explained it all so well up until the last sentence...
Replying to myself to complete the thought I started:
Which is to say that I believe that the GGP had a fairly good grasp of the difference between a union and an intersection, and was using the term intersection properly.
When I read it, I figured that was his point - that the intersection (the part that contains people meeting both criteria) contained the VAST majority of the set called "Flat Earthers", such that the Flat Earthers were all but a subset of the Creationists. In other words, he was saying that the intersection of the creationists and the Flat Earthers may not equal the union of the same two groups, but it comes pretty close.
I wonder if they use OSX server for their public DNS and how much egg they would have on their face when some script kiddie used Metasploit (http://www.metasploit.com/) to "test" their servers for them.
No targeted exploit indeed. Of course I suspect they pay some actual professionals to manage their DNS, and that these professionals use a proper server OS and have patched the DNS hole. But still, a script in the wild that affectes the security of their servers certainly exists, on a very popular vulnerability assessment tool no less, and should be cause for concern on their part. The fact that it apparently isn't just shows how seriously they take their server business.
Seriously (and this is more targeted towards the server versions of the OS), still choosing between Client or Server based licensing in an Internet connected world is just dumb. We already pay over $700 for the damn OS, what's wrong with allowing an unlimited number of clients to connect to the file shares/web server/print server? I know, it's about vendor lock out (Windows OSes include their own client license, so it's only a problem when you use a non MS OS), but with SAMBA so easy to set up, CUPS working with most printers quite well, etc, and useable on a FREE OS, that $700+ PLUS additional licenses for non-MS clients (PDAs, etc) becomes ridiculous.
This makes MITM so easy anyone can do it. They don't even have to be your upstream provider - they just have to be sharing the same wireless connection, or be on the same wired network. No, a switch won't help, because it can use ARP poisoning to become your gateway to the Internet.
So yes, eliminating just one attack vector does improve security significantly if it is an easy to exploit vector.
As a point of interest, I was once in a CEH (Certified Ethical Hacker) class for work and fired this baby up. An entire classroom full of "security experts" of various levels of skill. Even though a few noticed that the CA signed certs for their favorite sites were now popping up a browser warning ("hey, why is this popping up?"), to a one, they all accepted the new cert anyway and checked their email/bank account/Paypal.
So, while it's good to eliminate one potential avenue of exploit, the larger avenue remains one of proper education, even for "experts".
Bah. Not 96 kilobits. At 16 bits per sample and 96k samples per second (again, assuming the highest fidelity I'm aware of for consumer grade equipment), we're talking T1 speeds per channel, or about standard Ethernet speeds (10 megabit) for 6 audio channels. But other than that, the statement stands.
There is a lot of truth to that article, but it's still bogus in relation to what we are discussing here (CAT5e cables). For one, most of the article discusses bad clock sources. A cable, no matter how good, can't fix that. The small part where cables are discussed basically describes faulty cables as a source of issue. Not cheap cables. Faulty ones. Cables with corrosion or oxidization or faulty soldering. I'm assuming cables with highly impure copper could also cause problems. Or poor insulation/shielding/twistiness. But for the argument here, we are discussing cables that meet recommended specs - CAT5e in this case, whatever HDMI quality considerations cables must achieve in the case of the referenced article. Once that minimum level is achieved by a wire, all wires are the same.
I also like this part of the article:
About the images used in this piece:
Scope faces are for illustration purposes and may not be from a HD video stream.
Having said that, the article was largely informative, and in non digital situations, silver is likely a better way to go, but that goes somewhat outside of my area of expertise as a computer guy. At audio speeds (a few MB per second at best), jitter caused by cable has no discernible impact. At gigabit speeds over long distances it does, which is why all network cabling has minimum specs and recommended max distances. But we're talking 96 kilobits per channel over 6 channels over a meter and a half. Any non-defective cable made to spec will work just as well as any other.
Replying to myself so both posts can be ignored together...
Another option is to have an option in the program that allows the user to choose to have the redacted part recoverable (optionally with a password), but the check for that option is subtly bugged such that the option is ALWAYS enabled, and the default password is known or determinable. Then all the complex code for hiding a recoverable image looks innocent, and the only hard part is making it non obvious that the check to use that feature always returns true.
Actually, this one is likely simple (haven't read the detailed requirements, so I may be off base), but instead of redacting with a solid black block, redact with a "random" pattern, perhaps using MD5 to generate the pattern from the original. MD5 is reversible (though maybe not for all values), though the computing requirements to do so might be a little more than the project demands. In that case, some other innocent looking but slightly flawed algorithm to obfuscate the image portion (I think someone mentioned the Photoshop Swirl filter) could be used. A casual observer would look at the code and go "oh, what a neat effect, and it is indeed unreadable", without investigating the reversibility of the process.
A - NoScript does this as well. Flashblock could be better (I don't know), but NoScript has good Flash blocking functionality.
B - Regardless of whether you choose to use Flashblock for blocking Flash or not, be sure to use NoScript anyway for all the other stuff it does. Blocking Flash but allowing Java is horribly naive.
I concur. I've loved and sworn by WinAMP for years, but I'm seriously thinking about looking into alternatives. I play most of my media with Media Player 6 (open source) anyway, but it has poor support for building/managing/navigating playlists, as does VLC, which is also Damn Handy^tm.
Sigh. It is fortunate that we have entered a world where beggars can be choosers and users can and should demand top performance/stability/features from free software.
I also dropped AVG Free for Avast!. My only complaint about Avast! (aside from the already mentioned audio alert) is that they require you to register. Free, true, and that's what disposable email addresses are for, but still a little annoying.
But the user interface is much better than AVG, and it certainly seems faster. I never compared resource usage, but with AVG, app startup seemed sluggish, and after going to Avast!, it seems snappier. Could just be subjective, but I'm happy with the switch.
Slashdot Mirror
The GP was not correcting capitalization, he was emphasizing that the GGP had omitted the word "are" from the URL. The capitalization was merely to call attention to the correction, which was wise since apparently some people are incapable of reading long sequences of concatenated words, as you have so aptly demonstrated.
Actually, IE, Office, and Windows blow. Many of Microsoft's other commercial technologies are genuinely competitive on merit alone, if not actually ingenious. The XBOX, their gaming division, and their mice, for example, though not without flaws, are generally high quality products that would succeed even without the Microsoft brand name.
Microsoft, as a corporate citizen, is worthy of the spite it generates on Slashdot. Some of its flagship products are also worthy of that spite, but universally condemning every employee and product associated with them is closed minded. Even one's most hated adversary generally has some redeeming qualities, and failing to recognize them places YOU at the disadvantage.
In short, I agree with your statement, but thought it worth clarifying that not all of their good ideas die before seeing the outside world.
Have you ever heard the Democrat or Republican figureheads that have radio/television talk shows? Talk about a fanciful view of the world that they firmly believe is the truth. If my observation was but a third of what one could regularly hear on FOX or Rush about the candidate, you might have a point, but it wasn't, so you don't. I will cop to not making it excruciatingly clear that I do not actually believe in such a conspiracy theory, but such a made for TV movie plot should have been a pretty obvious giveway.
I was making an observation along the lines of the Lincoln-Kennedy "similarities" (http://fusionanomaly.net/kennedylincolnsynchronicities.html), not a political observation. Only a nutjob would take them seriously (based on the reasons stated in my post, though some much more solidly grounded conspiracy theories - based on more than "what's in a name" - are well within the realm of possibility), though at a sub-conscious level these factors MAY have impacted some voter's decision processes. I'm not the only person to have mentioned the Obama-Osama "similarity", and I'm certainly not the only sane person to imagine that some people would vote against him based solely on that information.
So, yeah, my ability to separate reality from fiction is working just fine. How's yours?
Now that's funny - why'd you go and post as AC?
I voted Obama, so please see this for the fanciful observation it is.
I've had this sneaky feeling that there were some puppet-masters of the ancient global conspiracy variety that manufactured the Obama candidate. Kind of a blind terrorist fear gauge. His first name sounds like Osama - differing by one letter. His middle name IS Hussein, the last name of a murderous dictator and terrorist collaborator, and then he chooses a running mate with the last name Biden, which is the first 2 and last 3 letters of Bin-Laden, one of the most notorious terrorists in the world today. Then, you sprinkle a history dotted with possible association with religion and governments themselves strongly associated with terrorists (at least in the court of public opinion) and it just seems like too many coincidences.
Stacking the deck against him like that, and considering the huge margin of victory, especially considering the historic snubbing of black presidential candidates, and you have to come to the conclusion that people were, sub-consciously or otherwise, willing to overlook a lot in order to undo the work of the last 8 years.
I'm Libertarian, and usually side with the Reps against the Dems, and I know that a Democratic Congress is probably just as responsible for this mess as the Republican President, but it was done on his watch, and quite frankly, the buck stops there. That, and he personally backed a number of these policies rather than simply being over-ridden by Congress.
We've done more irreparable harm to our reputation world wide in the last 8 years than at any other time. Republicans are usually acknowledged as good at foreign policy and bad at domestic policy when the pundits start talking, but the last 8 years saw massive mis-management of both. Again, I am talking about popular opinion, and not necessarily my personal views, though I do agree with much of it.
Obligatory Life of Brian:
BRIAN: Are you the Judean People's Front?
REG: Fuck off!
BRIAN: What?
REG: Judean People's Front. We're the People's Front of Judea! Judean People's Front. Cawk.
FRANCIS: Wankers.
My point of contention is where you claimed that MitM was just as invisible as eavesdropping. I did not argue with your assessment of the technical skill required (though there are many more points in a network where you can compromise a system that allows for eavesdropping - like a managed switch - that you cannot use for MitM, making MitM at least some amount more difficult). However, the fact that some networks will have IDS that looks for ARP poisoning and ICMP redirect attacks means that being noisy makes MitM considerably riskier. And malware, though possible to consider it MitM, is outside the scope of this argument as at that point you may as well just use a keylogger, making just about any network level countermeasure useless.
able to send 10 billion emails per day
That's almost enough to send a spam to every person on the planet twice. Even if some have more than one email address, there are a sufficient number who do not have an email address to balance that out. So I can only assume one (or both) of 2 things:
Either way, that's a tremendous amount of burden on the tubes. Quite possibly more spam from this one ring than all the legitimate messages in the same period.
Seems like a significant cost to legitimate businesses, and yet instead of a campaign of terror a la RIAA vs. the Pirates (another group of folks supposedly causing "significant losses" to an industry), companies pay ridiculous sums for spam filtering software.
I'm just sayin'...
On any network I can eavesdrop on, I can just as invisibly MitM you without being noticed if the certificate is self-signed anyway.
Not to nitpick, but this is patently false. To MitM, you HAVE to be in-band, which is far from invisible in the vast majority of cases. To eavesdrop, you can be out of band, which is significantly more difficult to detect, and easier to achieve (practically, theoretically, and technically).
Other than that, I mostly agree with the rest of your post.
Sniffing and MITM are magnitudes apart in difficulty. Yes, if you have COMPLETE control of the network, they may be trivially different, but if you are sniffing a wireless connection you don't control, it requires significantly more effort (and risk) to do ARP poisoning so that you become the gateway across which all traffic flows as opposed to simply listening in.
For a wired network, it is easier to SPAN a port and listen passively than it is to find a way to make a hardware based router do a MITM, or (again) do ARP spoofing so that your computer that has all that MITM software acts as a gateway.
So, yes, if you already have the traffic flowing through a device which can load some MITM tool, they are just a button press apart. But the reality is that whether the network is private or public, it is much more difficult to ARP poison or own a vital piece of network equipment (and install the proper software on said equipment) than it is to just flood a MAC table or create a SPAN port on a switch and listen in passively.
Now, if you are the NSA or some other TLA agency, it might be different, but to my knowledge all of the monitoring equipment that they place at ISP is out of band - which is to say that it listens passively and cannot manipulate the traffic. So again, though using the sniffing and MITM software may be almost identically difficult, setting up the circumstanced to enable the use of one over the other is not.
Or am I missing the MITM software that comes stock in a Cisco firewall or router?
As far as the use of self-signed certs, I think that it is far better than plain-text, but yes, there needs to be more awareness on the part of the users as well as the site operators. The infamous "lock icon" should be locked and green for trusted certs, unlocked for unencrypted traffic, and locked but red or yellow (and possibly flashing for a brief interval after each page load to draw attention to it), and users educated on what exactly the risk is when the lock is yellow or red.
Optionally, users can be trained on the difference between encrypted and authenticated and there can be a lock icon for encrypted, and a separate icon for authentication. Either way, it comes down to user education.
Another option is to have the self signed website provide an image that displays the hash for a self-signed cert, so that the user can check it against the cert being offered. If that site is being targeted, the MITM can create his own image, sure, but if it is simply an automated tool like most of the ones today, it would not know what the image name was, or if there was one, for it to replace in transit. Again, I use an image so that an automated tool can't just look for a character sequence that matches the fingerprint for the site's cert and replace it with its own.
Actually, because of the lack of a "but" it can be construed as a contrasting comparison - to wit: "we're good, therefore/because we are not psychic". Most readers will realize that the true intent was "we're good, BUT we are not psychic," but the lack of a conjunction does leave it slightly open to interpretation.
I'm going to start slipping suspicious phrases and key words into every conversation, email, post, and letter. I will simply give them so much chaff to sort through that they'll either give up, or miss something truly worthwhile. If I start now, I'll have worn them down by the time I really want to say something I'd rather keep secret.
Example:
I was thinking of using a _plutonium_ based _weapon of mass destruction_ in a _terrorist attack_ on _President Bush_. Big words would probably do.
Take THAT, Skynet, er, Echelon!
Gah, my bad - I meant intersection (of the two) and the FE set were the same, or nearly so. Not sure what caused me to invoke "union". I fail at set theory...
I explained it all so well up until the last sentence...
Replying to myself to complete the thought I started:
Which is to say that I believe that the GGP had a fairly good grasp of the difference between a union and an intersection, and was using the term intersection properly.
When I read it, I figured that was his point - that the intersection (the part that contains people meeting both criteria) contained the VAST majority of the set called "Flat Earthers", such that the Flat Earthers were all but a subset of the Creationists. In other words, he was saying that the intersection of the creationists and the Flat Earthers may not equal the union of the same two groups, but it comes pretty close.
I wonder if they use OSX server for their public DNS and how much egg they would have on their face when some script kiddie used Metasploit (http://www.metasploit.com/) to "test" their servers for them.
No targeted exploit indeed. Of course I suspect they pay some actual professionals to manage their DNS, and that these professionals use a proper server OS and have patched the DNS hole. But still, a script in the wild that affectes the security of their servers certainly exists, on a very popular vulnerability assessment tool no less, and should be cause for concern on their part. The fact that it apparently isn't just shows how seriously they take their server business.
Seriously (and this is more targeted towards the server versions of the OS), still choosing between Client or Server based licensing in an Internet connected world is just dumb. We already pay over $700 for the damn OS, what's wrong with allowing an unlimited number of clients to connect to the file shares/web server/print server? I know, it's about vendor lock out (Windows OSes include their own client license, so it's only a problem when you use a non MS OS), but with SAMBA so easy to set up, CUPS working with most printers quite well, etc, and useable on a FREE OS, that $700+ PLUS additional licenses for non-MS clients (PDAs, etc) becomes ridiculous.
/end rant
http://www.oxid.it/cain.html
This makes MITM so easy anyone can do it. They don't even have to be your upstream provider - they just have to be sharing the same wireless connection, or be on the same wired network. No, a switch won't help, because it can use ARP poisoning to become your gateway to the Internet.
So yes, eliminating just one attack vector does improve security significantly if it is an easy to exploit vector.
As a point of interest, I was once in a CEH (Certified Ethical Hacker) class for work and fired this baby up. An entire classroom full of "security experts" of various levels of skill. Even though a few noticed that the CA signed certs for their favorite sites were now popping up a browser warning ("hey, why is this popping up?"), to a one, they all accepted the new cert anyway and checked their email/bank account/Paypal.
So, while it's good to eliminate one potential avenue of exploit, the larger avenue remains one of proper education, even for "experts".
Bah. Not 96 kilobits. At 16 bits per sample and 96k samples per second (again, assuming the highest fidelity I'm aware of for consumer grade equipment), we're talking T1 speeds per channel, or about standard Ethernet speeds (10 megabit) for 6 audio channels. But other than that, the statement stands.
I also like this part of the article: About the images used in this piece: Scope faces are for illustration purposes and may not be from a HD video stream.
Having said that, the article was largely informative, and in non digital situations, silver is likely a better way to go, but that goes somewhat outside of my area of expertise as a computer guy. At audio speeds (a few MB per second at best), jitter caused by cable has no discernible impact. At gigabit speeds over long distances it does, which is why all network cabling has minimum specs and recommended max distances. But we're talking 96 kilobits per channel over 6 channels over a meter and a half. Any non-defective cable made to spec will work just as well as any other.
Replying to myself so both posts can be ignored together...
Another option is to have an option in the program that allows the user to choose to have the redacted part recoverable (optionally with a password), but the check for that option is subtly bugged such that the option is ALWAYS enabled, and the default password is known or determinable. Then all the complex code for hiding a recoverable image looks innocent, and the only hard part is making it non obvious that the check to use that feature always returns true.
Actually, this one is likely simple (haven't read the detailed requirements, so I may be off base), but instead of redacting with a solid black block, redact with a "random" pattern, perhaps using MD5 to generate the pattern from the original. MD5 is reversible (though maybe not for all values), though the computing requirements to do so might be a little more than the project demands. In that case, some other innocent looking but slightly flawed algorithm to obfuscate the image portion (I think someone mentioned the Photoshop Swirl filter) could be used. A casual observer would look at the code and go "oh, what a neat effect, and it is indeed unreadable", without investigating the reversibility of the process.
A - NoScript does this as well. Flashblock could be better (I don't know), but NoScript has good Flash blocking functionality.
B - Regardless of whether you choose to use Flashblock for blocking Flash or not, be sure to use NoScript anyway for all the other stuff it does. Blocking Flash but allowing Java is horribly naive.
I concur. I've loved and sworn by WinAMP for years, but I'm seriously thinking about looking into alternatives. I play most of my media with Media Player 6 (open source) anyway, but it has poor support for building/managing/navigating playlists, as does VLC, which is also Damn Handy^tm. Sigh. It is fortunate that we have entered a world where beggars can be choosers and users can and should demand top performance/stability/features from free software.
I also dropped AVG Free for Avast!. My only complaint about Avast! (aside from the already mentioned audio alert) is that they require you to register. Free, true, and that's what disposable email addresses are for, but still a little annoying. But the user interface is much better than AVG, and it certainly seems faster. I never compared resource usage, but with AVG, app startup seemed sluggish, and after going to Avast!, it seems snappier. Could just be subjective, but I'm happy with the switch.