Actually you are close but a little off. Verisign, Thawte, CAcert, Startcom, and the likes are trusted third parties, but they don't issue or generate your private key. You (via your browser software engine, smartcard, OpenSSL, etc.) generate your private key and send them your CSR (Certificate signing request) which contains your public key. The TTP then issues the certificate based on your public key and the CSR. The TTP never has your private key and therefore can't decrypt anything that was sent to you via your certificate, and can't sign anything to make it appear it came from your certificate.
The function of the TTP is for identification. Your browser is set to trust Verisign's signing key, so therefore when you visit https://supersecurewebsite.com/ your browser verifies that your certificate is signed by Verisign's, and therefore is trusted. Now you can use your own signing authority, as you called the "RSA key server" above, which is called self-signing your keys. You can still use it and it is just as cryptographically secure as using Verisign, however I don't know your signing authority from Sam, so my browser is going to warn me saying it is an untrusted signer. E-mail using such a certificate is the same, it will say the message is encrypted and has not been altered since it was sent, however the identify of the sender can not be confirmed. Now if I knew you personally and could meet with you to verify the fingerprint of your key, I could set my browser/e-mail client to trust your key (or your signer) and that warning would go away and be just as (really more so) secure than Verisign's signature.
When you get down to it, when you see the little lock icon on your browser, why do you trust it? Have you ever looked at the default list of trusted root keys? There are over 50 in my Firefox installation, and that is not including other authorities I've installed. AOL is not considered secure by anybody on the 'net, however their root key is installed as trusted by default in your browser. Why? Because at one point they talked their way onto the list way back in time, and while Mozilla now has a set list of requirements for new roots to be added, they have not gone back and applied those rules to roots already in place and basically grandfathered them in.
Even if the had its fingers inside of Verisign, Thawte, or any other root authority it doesn't make it any easier for them to decrypt your communications once it is been properly encrypted. At best it would let them generate a key for their own server, pretending to be https://supersecurewebsite.com/ and be a man in the middle.
> 2. They mix 568A and 568B - usually wiring A in the wall, and using premade B patch cables. Instant crosstalk. OK on very short runs, but anything longer than 80' to 100' will become problematic with many NICs.
Um... I'm raising the brown flag here. The difference between 568-A and 568-B is the order at which the orange and green pairs arrive inside the connector. A cable made with 568-A on both ends is electrically the same as 568-B on both ends. The only difference is the color of insulation on the pairs at that point. "The T-568A standard is supposed to be used in new network installations. Most off-the-shelf Ethernet cables are still of the T-568B standard; however, it makes absolutely no functional difference in which you choose." - http://www.cablesplususa.com/rj45-utp-guide.htm
Other than that, I'll agree with you on your other points.
We're splitting hairs at this point, but technically 3 is only a problem if the insulation is nicked deep enough to actually nick the conductor, which is usually the case. If the conductor itself is not nicked, even an exposed conductor is not a problem. The only problem would be due to corrosion or moisture, and unless you're using a silicone filled connector, you're going to have those issues at the end of the cable anyway. If you nicked the insulation outside of the connector where the silicone wouldn't do any good and didn't scrap it, you really have no business making cables.
I wasn't suggesting they take anything away from you, just that they don't take away upload bandwidth at all. If they want to treat it as burst, then they need to advertise/sell it that way. Don't say "2MB up" then bury in the user agreement a clause that says "100K if you use more than 2 MB in a 5 minute period" or some such crap.
I definitely think they should offer some sort of status page that shows the current upload and download speed caps, and any aggregate totals towards any limits in place. This would be an acceptable alternative if they can't just let us get what they are charging us for and leave us alone.
I have no problem at all with QOS implemented by an ISP as long as it is fair, such as all VoIP packets getting the same priority, regardless of whether they have their own offering or not. As long as they don't prioritize their own services, I think they should still be allowed to maintain their common carrier status.
I do however have a problem with changing the upload speed. If they want to cap my download, go for it, but leave upload along. QOS in Smoothwall, Tomato, DD-WRT, and other routers is based on a constant upload bandwidth. This means in order to ensure you have proper-functioning QOS during a rate cap, you have to configure it for the capped speed at all times. You can no longer take advantage of your uncapped speed.
The best way to handle high-usage customers is to downgrade their priority once they hit a threshold. That way if my neighbors aren't using the bandwidth, I can. Why let the pipe sit there empty? When the neighbors need it, my priority goes down to make sure they see the speeds until they hit their own cap.
Since most peering arrangements are based on the percentage of traffic moving in one direction based on the other, they should be encouraging customers to be on the uploading side as it will help tip the scales in their direction and actually reduce their bandwidth expense.
The worst part about it is when I contacted them they verified the coupons were never used before they expired. They weren't taken in transit and spent, they just got lost in the shuffle. I would be a little more understanding if they had been used, then it would be a question of whether I actually got them and used them. All I was asking for was a re-issue of the cards that were issued to me already. But thats the efficiency of the government shining through.
I requested coupons for a couple of older TVs, but never received them. I inquired but they said they were sent out and there is nothing further they could do, and suggested getting an unused card from a friend or relative who had to many. Perhaps a trading site could be set up to match people who have extras with people who didn't get any for whatever reason?
If you have nothing better to do with it, I could send you a stamp to send it my direction.;-)
In my opinion the whole spiral started with Joel Kocher. When I started employment at MPC (was called MicronPC.com at the time) in early '00, they had a rock solid product, and were in the midst of transitioning to a PC and Internet hosting company. Kocher introduced a free bare-bones PC with a long-term Internet service contract.
Kocher was convinced the PC was dead and that hosting was the way to go. Up to that point Micron PC was known as the Cadillac of PCs, using good quality parts, a good non-bloatware system load, etc. Once this piece of cheapest-possible junk was introduced, the reputation of the company, as well as the internal focus on quality went out the window. All of the company effort was focused on expanding the hosting business at the expense of the hardware side of the business.
After a while Kocher spun off Hostpro and left the PC manufacturing side of the business to die. It was picked up by an investment group and was never able to fully recover. While I can't confirm it, rumor stated that the company could have turned around but the investment company siphoned off every cent of profit rather than re-investing it back into the business for long-term growth. Coupled with leadership that (I feel) were more interested in short-term balance sheets than long term success doomed the company to failure.
I was laid off in July of '06, and haven't looked back. I made it through more layoffs than I could count and the stress of wondering if I'd have a job every couple of months was horrible. The layoff that finally caught me was more of a relief than a concern. I should have looked for something else far prior to that but I was convinced the company could recover and then I'd be in a good position for advancement.
The way I see it the company has been floating for the last 6+ years, and someone finally decided to hit the flush handle. I have quite a few friends that were still employed there that have lost their jobs in the last month. Its a tough job market right now and this isn't going to make it any easier.
As long as it is reasonable (such as the $5/month you used as an example or even double that) and covered all **AA wares I would have no problem paying an *optional* ISP media fee. I could easily get that much usage out of it, and would wager to say most people would.
Back in the Napster days I noticed a trend that a new user would download a metric crapload (yes, very scientific measurement) of songs when they first got access, then only picked up a handfull of songs every now and then after that. On average a person would probably download a movie or two and a couple of songs every month after the newness wore off. With songs (iTunes) and movie rentals (Redbox) at $1 each, I think on average it would be a fair deal for both the consumer and the media moguls.
Unfortunately the genius in the SUV is completely oblivious to the lesson. I love seeing people swerve in and out of traffic trying to cut that extra 2 seconds off of their trip, only to be the car in front of you stopped at the same stoplight. They think they're hot stuff but they saved no time at all, and likely killed their fuel mileage with the quick accelerations to dart around all of the cars to get there.
You're close. The entire point of SSL is to ensure the user can trust that they're connecting to the correct server. Trusting the server itself and consequently those in control of the server is outside the scope of SSL. And paying Godaddy for a certificate doesn't change that.
What this whole discussion gets down to is phishers that register a close approximation of a bank's domain. The user is the one that actually types in the address or clicks a spam link to get to the site. The user typed in usbamk.com, and they got to the right server. SSL is correctly telling them that. What SSL is not telling them, and can never tell them, is that the owner of usbamk.com put up a page to look like usbank.com in order to scam the user out of their money. Nobody wants to take responsibility for their own muck-ups anymore. Why should everyone else have to deal with more inconveniences and fees because of them?
EV certificates are designed to take it up a step, that the company using the certificate has had some facts verified about it. I still think they're a solution looking for a problem. The big push showing how much more trust can be placed in EV certificates though is destroying the reputation of good old non-EV certificates. They are no less valid now that EV certificates are out there, but the big players are yelling the opposite.
With the way browsers are now handling non-monetarily-obtained certificates, using a self-signed or CAcert (or similar org) certificate is hard to do. How can you explain to Grandma that it is OK to go to your family's website when the browser she's been conditioned to trust is telling her the exact opposite? And now you purchase a $30 godaddy certificate, but the address bar is not showing the green icon and the same feeling of mistrust shows up.
We're catering to the least common denominator here. Those who don't use their common sense online are taking the fun out of it for those of us who do.
The thing is they shouldn't have to swallow $50 a year for something that should be free. And $50 for a non-profit organization that already may be up against a tight budget, that $50 takes away from something else they could have done.
What do you mean CAcert has no accountability? They have a web of trust in place that actually checks IDs person to person. Thats more than Verisign does. All they do is charge a credit card.
A CAcert server certificate does exactly what it says it should, that the owner/controller of the domain is in control of the server. It does not verify the personal integrety of the person running it. Of course a Verisign certificate says exactly the same thing but some money exchanged hands in order to say so. But you're trained to trust it more because "its always been that way."
Personally I think browsers should ship with no root certificates installed at all, and the user can seek out and install the ones they trust. Have you ever looked at the list of default roots in your browsers? Can you verify that every one of them does more verification than CAcert does?
CAcert is getting close to being audited so that their root will be included in browsers by default. Does that change your stance regarding trusting their server certificates? If not you're going to have to start remembering to remove their root from each browser installation. While in there how many more are you going to remove?
It bothers me seeing people put so much blind trust in Verisign and Thawte and the likes. To take it a step further, have you ever gone out to your bank's web site and written down the fingerprint of their signature and attempted to verify it at your bank? 99.9% out there will say no.
The point of an SSL certificate is to secure the communications line, and to ensure the entity you're communicating with now is the same one you communicated with previously. Intentions of the person/server you're communicating with is outside of the scope. No amount of money exchanging hands will change this fact, yet Verisign has obviously convinced a lot of people to the contrary.
I would argue that there is in fact a need to call. There will be several types of customers that would receive a call.
1. The customer who did not want to renew and has not done so purposefully. The will tell the caller "no" and may even ask to be placed on the company's Do Not Call list.
2. The customer who wanted to renew but forgot about it or for some other reason has not done so yet. They will be grateful to have received a reminder, especially with a discounted rate.
3. The customer who is on the fence and has not decided whether or not they were going to renew. Some will renew due to the discounted rate, while others may decide not to renew simply because of the bother of the phone call.
#2 and #3 above create the need for the calls. If everybody was a #1, the calls would stop. Obviously enough people find the calls useful enough (and therefore buy the product) to make the phone calls worth while.*
Of the magazine renewal call centers I have knowledge of, they typically have a "yes" rate of between 20% and 40% of the contacts made. The number of customers who get irate due to the call and/or ask to be placed on the do-not-call list is not even 1%.
As I said, I fully agree with you on cold calls (which the do-not-call lists do a very decent job of handling,) but the occasional offer from a company I already do business with is fine. 5-6 calls per year for a person who has 4-5 magazine subscriptions is really nothing to get worked up about. If calls bother a person that much, they really should have an unlisted number that they never give out to anybody but relatives and close friends and possibly their employer. With all of the free voicemail type of websites out there these days, there is really no excuse for someone getting upset because they gave their "real" number to a company that chooses to call them on it.
* Note that spam is sent around by the same logic, but the difference is most telemarketing firms do so responsibly such as honoring do-not-call lists. Spammers on the other hand go out of their way to make sure you get that spam whether you want it or not, even to the point of DDoSing anti-spam websites and products.
There are legit telemarketing companies. I know of a couple who call people regarding renewals of their magazine subscriptions. They are calling their existing customers who have not yet renewed, offering a discounted renewal rate if they renew before their subscription runs out.
I do believe you have a point that there are no legit cold-call telemarketing companies.
"You have to learn version control systems, the community, what constitutes "easy", you have to learn the scale and meaning of each piece of the project, you have to learn communication and moreso, you have to know enough to actually fix things."
Um... Every one of those attributes are key to a regular paid position as well. Any sort of company that has anything above an amateur programming team will be using version control of some sort. An as far as learning to communicate with the community and learn about the entire project, its just silly to suggest a person wouldn't be doing that in the workforce.
The first thing when I started a position with programming as part of the official job description was get set up on the revision control system (Subversion) and just start browsing the code. After I got familiarized with the overall project scope (what do these individual pieces of code do and how do they fit into the whole picture,) I was given some of the low-hanging fruit in the bugtracking system to tackle. Next I started grabbing tickets I thought would be simple for me to fix. I grew from there and now I am in charge of our biggest software project.
There are more similarities than differences between corporate and open-source programming. Heck, even in a corporate environment you may not have face-to-face contact with your fellow programmers with all the outsourcing going on.
Actually, it isn't a random door guard that happened to be walking by and decided to allow access into your home. It is a doorman (router) you hired (purchased) who gave you the choice of reading his contract (the user's guide) defining his default behavior, such as allowing anyone to enter if they ask (allow association and give IP upon request.) He also gave you a questionnaire (the web interface) to fill out if you want to change any of his default behavior. If you chose not to read the contract (manual) and/or have it reviewed by an attorney (friendly neighborhood geek) if you didn't understand it, who is actually to blame, the employer (owner) or the employee (router)? The employer (owner) has proxied the doorman (router) into "a position to decide absolutely who can and can't access the network" for them but they simply were not given a replacement "guest list" that doesn't say "everybody".
I have several access points at various locations that I am responsible for. If they're open, I don't care who uses them. If they're protected, you aren't allowed to use it. Its really a pretty simple concept.
Look at it in another way. Say I have a sprinkler set up in my front yard, and part of the spray goes over the property line. My neighbor decides to put a bucket in that spot to collect some of the water to pour on his garden. Do I have a right to be upset at my neighbor because he used the water that I allowed (either by negligence or design) to spray onto his property?
You may try to argue that the bucket is actually being passed onto my property in order to fill it since WiFi involves a 2 way signal. In that case, refer to my doorman example, the WiFi signal is being given explicit permission by your proxy, the router. This would be the same the neighbor asking your doorman if he can hang his bucket in the corner of your yard when you water since his hose won't reach out to his garden. Who should you hold responsible, your neighbor for not knowing that your doorman was not given proper instructions to deny your use of the water? Your doorman for not telling him "no" without explicitly asking you first? Or yourself for not giving your doorman proper instructions on who to allow use of the water?
I really don't see why people are making such a mountain out of this tiny little ant hill. In the end the setting in the access point still says "open" and the access point should be legally treated as such until such time that the setting is changed. Anything to the contrary is just someone not taking responsibility for their own screwup or their own unwillingness to do the proper research, which is in most cases as simple as reading the "quick start" guide.
Actually if you want to get technical, WiFi falls under part 15 of the FCC rules, meaning all WiFi devices must not cause interference to other devices, and the devices must accept an interference from other devices. In layman's terms (and without getting into the primary vs. secondary spectrum users,) you can't complain about somebody else's WiFi or cordless phone interfering with yours. While legally their device is not supposed to cause interference, you have to accept it without any legal recourse.
Your comment is spot-on though, if my WiFi is interfering with yours, please come see me and I'll help get it worked out so BOTH of us will have better signal. I've even made that easy, my street address and phone number make up my SSID.
3. Jurisdiction If the phone companies want to stop spoofing, they should design a secure system instead of relying on the congressional police
Who says the phone companies want to stop spoofing? What they want is for customers to pay their bills.
This is a consumer protection bill and protecting the citizenry is raison d'etre of the government.
The government shouldn't be protecting me from myself. Laws are meant to protect me from what I can't protect myself from. For example, I can't stop someone from breaking into my house when I'm not home and stealing my valuables. I can do what I can (good locks, alarm, etc.) to help, but in the end if someone wants in they will get in. I also cannot prevent somebody without insurance running a red light and totaling my car. There are laws in place to help keep people from driving without insurance in the first place.
As for spoofed CallerID, who in their right mind would give any caller any personal information just based on what the CallerID said? Before CID, did people just give out any information to anyone who called saying they were the bank without verifying somehow that they were indeed who they said they were? Nope. The need to do that hasn't changed. I have to actively choose to make myself a victim by giving out that information, so protecting me at a government level is unnecessary.
It has already been mentioned by numerous other posters that the true ID information, ANI, is already available to the telcos and to investigating officers. Due to this fact anyone who does commit a crime using the telephone is going to leave a paper trail anyway. If they have the ability to get around the ANI tracking, asking them not to screw with CID is not going to do anything but make them chuckle. The fraudsters who commit crimes using CID spoofing are already breaking existing laws, there is absolutely no need to add another useless law to the already over-complicated lawbooks.
People need to stand up for themselves and force the phone companies to change. The telcos have already recovered the cost for the CID infrastructure many times over and is purely a profit item for them now. Rather than having Congress enact yet another law, why not tell the phone companies you don't like how the existing system works by canceling your CID service? You are exactly right in that the telcos want people to pay their bills, and if people stop subscribing to CID, do you think they'd just turn it off and accept the loss of $6.95/month per line? Nope, they'd sit down and realize they just lost a 100% margin product and redesign it to meet what people will pay for again. Do you keep subscribing to a magazine when you decide it doesn't provide the content you want but ask Congress to enact a law to change the format of the magazine? I certainly hope not.
I've read articles that say a large percentage (between 80 and 100 percent depending on where they live) of Americans go about their daily lives unknowingly breaking at least one law on a daily basis. As an example, in many states it is against the law for any kind of "reproductive attempt" that is not the plain old missionary style. How does it hurt society if my wife and I (yes, a married Slashdotter, try not to stare please) want to try a different position? Nope, I can't think of any reason either. Why is it even on the books?
I'm sick and tired of having more and more laws on the books, and spending more and more money (taxes) to enforce them. The founding fathers of our country threw a big party that had something to do with tea when their government was unfairly taxing them and pushing unnecessary and unfair laws on them. Each and every one of them are probably turning over in their respective graves when they see what this country has become.
Despite what Oprah may tell you, YOU are responsible for YOUR own actions. If you don't like it move to China or some other police-controlled nation and let the rest of us enjoy our freedom.
Dallas has whitepapers for their OneWire bus protocol that list doing just that. From what I've seen, it looks to be fairly simple as far as things go. With the required components being only a few pennies (or less) at any kind of quantity, it would be a piece of cake to implement this.
You are correct in that root's e-mail may not prove 100% ownership, but what method would be secure short of sending expert auditors* on-site to verify every detail possible and the security of such systems? My point was I feel it is just as safe in my opinion as the checking the big companies do, only far less expensive.
In order to get the domain name in the CN of a certificate, CAcert requires the person requesting the certificate to be personally verified by the web of trust (meeting at least 2 people for ID verification, except in special circumstances) which provides another level of verification before the domain is even brought into question. The person would need to convincingly fake their own ID before pulling off some type of technical hack to get access to the appropriate e-mail ping. Again, I'm not saying it can't be done, but is harder in my opinion than it would be to simply fake a credit card for the big guys.
Unfortunately there is no good answer, short of only trusting certificates for people/entities that you can personally verify as being valid.
Jeremy
* By expert auditors, I mean truely competent technical people who actually know what they are doing and care about the results, not a typical "make a showing just to say we did it" audit as it usually happens.
When you register your domain with CAcert, they give you the option of sending the message to any one of the following addresses at the requested domain: root, hostmaster, postmaster, admin, webmaster, or the addresses listed in the DNS record. If you have one of these address aliased or forwarded to another location, then the message will get through to the new location.
Since those addresses are administrative addresses, you shouldn't be forwarding them to a user or mail system you don't trust. You should also not be allowing non-admin users access to the aliasing of your mail, so they couldn't create their own alias.
In short, if you have lost control of these addresses on your domain, getting a certificate issued to your domain is not your biggest concern. If someone owns your box to this point, they probably have access to copy the private key used for the certificate you bought from BigNameExpensiveCA anyway. They could probably also swipe your database of credit cards, personal info, and any other info they want, making an attack using the certificate more trouble than it would be worth anyway.
What method would you trust beyond this? Charging a credit card issued to the person listed on the DNS records? This is pretty much what the BigNameExpensiveCAs do. Identity theft is so rampant these days that I wouldn't feel any safer if the "owner" were verified this way.
"So, the Internet is a *problem* for good parents who want to teach their children about the reality of sex, rather than the superficialities found in porn, and solutions are therefore required. And partial solutions are better than none."
I completely agree that there are different views and different "levels" of potential harm depending on what is seen. In general though, I feel that a partial solution has the potential to make many parents think they've done "enough" and leave it at that. You don't appear to be a parent in that category since you understand it is a partial solution. I've said for a long time that people are stupid. There are obviously individuals who are intelligent, but as a group, the average intelligence is way below par.
"You mention that you have two kids. How old are they? This topic is very much on my mind because my oldest is just entering puberty and my second isn't far behind (and actually has more questions and concerns). If yours are at the same point, I bow to your superior equanimity. I'm rather worried about the next few years."
My oldest is almost 4, and my youngest is just over 1, so I have a few years yet before I have to really start to worry. I didn't claim to be superior in any way, I was just pointing out the "perfect" situation. I'm going to strive to do my best to come somewhere near that but nobody is perfect.
My plans so far are as follows. My kids won't have an Internet conncted computer in their rooms. I have no problem with them having a computer in their room on the network, but they will be mac-address blocked at the router, with maybe some specific sites whitelisted to be allowed. More drastic measures will be taken if they figure out how to get around that.:-) I plan to be open with them as to my expectations of what is allowed and not allowed, which is the hardest part. No matter how much work you and I put into making sure their home PCs are smut-safe (again, you and I would do a lot better job than most of the public mass,) there is nothing stopping them from going over to a friend's house whose parents installed a partial solution, or nothing at all. Heck, maybe even Little Johnny's cell phone on the schoolbus ride home at that point. This right there is why I have the desire to teach them right from wrong, so that when presented with the opportunity they will make the right choice.
When growing up, my parents did just that for me, taught me what was right and wrong. While Internet pr0n wasn't an option at the time, all the other things such as drugs and general delinquincy were always there. I never even had the desire to try any kind of illegal drug. I actually never had any alcohol to drink other than an occasional glass of wine at home in the evening, no drunken evenings for me. Not to say I didn't go to the parties, but just never had the desire to drink. I was never in trouble with the law or school administration, any of that. Maybe since I never had the desire I'm kidding myself as to the intentions of my kids. Only time will tell, and I hope both you and I are able to appropriately react and have kids that turn out somewhat normal.:-)
This is the type of misunderstanding that is causing the controversy over the Blue Frog. The point of the Blue system was not to DDoS spammers' websites. The point was to submit one opt-out request for every spam received. The idea was to make the spammers' "sale" list so full of garbage that they had to start cleaning their lists so that the real sales would come through. Once the spammer stopped sending spam to Blue members, they could continue to spam to their heart's desire. They were not trying to drop any servers or anything like that.
In my opinion, this method of spam fighting had no collateral damage. No non-spam messages were ever dropped due to a false-positive match in a spam filter. No non-spam servers were mistakenly blacklisted in a RBL. The only issue here was caused by one of the spammers resorting to an illegal attack in retaliation of fed-up users requesting to be removed from their list. BlueSecurity is not to be blamed for the DDoS of the blog sites, etc.
Slashdot Mirror
When they turn 'em on, does it show some distorted video of a guy telling them to play nice, and to enjoy the new laptop?
Actually you are close but a little off. Verisign, Thawte, CAcert, Startcom, and the likes are trusted third parties, but they don't issue or generate your private key. You (via your browser software engine, smartcard, OpenSSL, etc.) generate your private key and send them your CSR (Certificate signing request) which contains your public key. The TTP then issues the certificate based on your public key and the CSR. The TTP never has your private key and therefore can't decrypt anything that was sent to you via your certificate, and can't sign anything to make it appear it came from your certificate.
The function of the TTP is for identification. Your browser is set to trust Verisign's signing key, so therefore when you visit https://supersecurewebsite.com/ your browser verifies that your certificate is signed by Verisign's, and therefore is trusted. Now you can use your own signing authority, as you called the "RSA key server" above, which is called self-signing your keys. You can still use it and it is just as cryptographically secure as using Verisign, however I don't know your signing authority from Sam, so my browser is going to warn me saying it is an untrusted signer. E-mail using such a certificate is the same, it will say the message is encrypted and has not been altered since it was sent, however the identify of the sender can not be confirmed. Now if I knew you personally and could meet with you to verify the fingerprint of your key, I could set my browser/e-mail client to trust your key (or your signer) and that warning would go away and be just as (really more so) secure than Verisign's signature.
When you get down to it, when you see the little lock icon on your browser, why do you trust it? Have you ever looked at the default list of trusted root keys? There are over 50 in my Firefox installation, and that is not including other authorities I've installed. AOL is not considered secure by anybody on the 'net, however their root key is installed as trusted by default in your browser. Why? Because at one point they talked their way onto the list way back in time, and while Mozilla now has a set list of requirements for new roots to be added, they have not gone back and applied those rules to roots already in place and basically grandfathered them in.
Even if the had its fingers inside of Verisign, Thawte, or any other root authority it doesn't make it any easier for them to decrypt your communications once it is been properly encrypted. At best it would let them generate a key for their own server, pretending to be https://supersecurewebsite.com/ and be a man in the middle.
> 2. They mix 568A and 568B - usually wiring A in the wall, and using premade B patch cables. Instant crosstalk. OK on very short runs, but anything longer than 80' to 100' will become problematic with many NICs.
Um... I'm raising the brown flag here. The difference between 568-A and 568-B is the order at which the orange and green pairs arrive inside the connector. A cable made with 568-A on both ends is electrically the same as 568-B on both ends. The only difference is the color of insulation on the pairs at that point. "The T-568A standard is supposed to be used in new network installations. Most off-the-shelf Ethernet cables are still of the T-568B
standard; however, it makes absolutely no functional difference in which
you choose." - http://www.cablesplususa.com/rj45-utp-guide.htm
Other than that, I'll agree with you on your other points.
We're splitting hairs at this point, but technically 3 is only a problem if the insulation is nicked deep enough to actually nick the conductor, which is usually the case. If the conductor itself is not nicked, even an exposed conductor is not a problem. The only problem would be due to corrosion or moisture, and unless you're using a silicone filled connector, you're going to have those issues at the end of the cable anyway. If you nicked the insulation outside of the connector where the silicone wouldn't do any good and didn't scrap it, you really have no business making cables.
I wasn't suggesting they take anything away from you, just that they don't take away upload bandwidth at all. If they want to treat it as burst, then they need to advertise/sell it that way. Don't say "2MB up" then bury in the user agreement a clause that says "100K if you use more than 2 MB in a 5 minute period" or some such crap.
I definitely think they should offer some sort of status page that shows the current upload and download speed caps, and any aggregate totals towards any limits in place. This would be an acceptable alternative if they can't just let us get what they are charging us for and leave us alone.
I have no problem at all with QOS implemented by an ISP as long as it is fair, such as all VoIP packets getting the same priority, regardless of whether they have their own offering or not. As long as they don't prioritize their own services, I think they should still be allowed to maintain their common carrier status.
I do however have a problem with changing the upload speed. If they want to cap my download, go for it, but leave upload along. QOS in Smoothwall, Tomato, DD-WRT, and other routers is based on a constant upload bandwidth. This means in order to ensure you have proper-functioning QOS during a rate cap, you have to configure it for the capped speed at all times. You can no longer take advantage of your uncapped speed.
The best way to handle high-usage customers is to downgrade their priority once they hit a threshold. That way if my neighbors aren't using the bandwidth, I can. Why let the pipe sit there empty? When the neighbors need it, my priority goes down to make sure they see the speeds until they hit their own cap.
Since most peering arrangements are based on the percentage of traffic moving in one direction based on the other, they should be encouraging customers to be on the uploading side as it will help tip the scales in their direction and actually reduce their bandwidth expense.
The worst part about it is when I contacted them they verified the coupons were never used before they expired. They weren't taken in transit and spent, they just got lost in the shuffle. I would be a little more understanding if they had been used, then it would be a question of whether I actually got them and used them. All I was asking for was a re-issue of the cards that were issued to me already. But thats the efficiency of the government shining through.
Jeremy
I requested coupons for a couple of older TVs, but never received them. I inquired but they said they were sent out and there is nothing further they could do, and suggested getting an unused card from a friend or relative who had to many. Perhaps a trading site could be set up to match people who have extras with people who didn't get any for whatever reason?
If you have nothing better to do with it, I could send you a stamp to send it my direction. ;-)
Jeremy
In my opinion the whole spiral started with Joel Kocher. When I started employment at MPC (was called MicronPC.com at the time) in early '00, they had a rock solid product, and were in the midst of transitioning to a PC and Internet hosting company. Kocher introduced a free bare-bones PC with a long-term Internet service contract.
Kocher was convinced the PC was dead and that hosting was the way to go. Up to that point Micron PC was known as the Cadillac of PCs, using good quality parts, a good non-bloatware system load, etc. Once this piece of cheapest-possible junk was introduced, the reputation of the company, as well as the internal focus on quality went out the window. All of the company effort was focused on expanding the hosting business at the expense of the hardware side of the business.
After a while Kocher spun off Hostpro and left the PC manufacturing side of the business to die. It was picked up by an investment group and was never able to fully recover. While I can't confirm it, rumor stated that the company could have turned around but the investment company siphoned off every cent of profit rather than re-investing it back into the business for long-term growth. Coupled with leadership that (I feel) were more interested in short-term balance sheets than long term success doomed the company to failure.
I was laid off in July of '06, and haven't looked back. I made it through more layoffs than I could count and the stress of wondering if I'd have a job every couple of months was horrible. The layoff that finally caught me was more of a relief than a concern. I should have looked for something else far prior to that but I was convinced the company could recover and then I'd be in a good position for advancement.
The way I see it the company has been floating for the last 6+ years, and someone finally decided to hit the flush handle. I have quite a few friends that were still employed there that have lost their jobs in the last month. Its a tough job market right now and this isn't going to make it any easier.
Just remember when you move here to forget everything you learned driving-wise in California and re-learn it all the correct way. :-)
Welcome to Idaho!
As long as it is reasonable (such as the $5/month you used as an example or even double that) and covered all **AA wares I would have no problem paying an *optional* ISP media fee. I could easily get that much usage out of it, and would wager to say most people would.
Back in the Napster days I noticed a trend that a new user would download a metric crapload (yes, very scientific measurement) of songs when they first got access, then only picked up a handfull of songs every now and then after that. On average a person would probably download a movie or two and a couple of songs every month after the newness wore off. With songs (iTunes) and movie rentals (Redbox) at $1 each, I think on average it would be a fair deal for both the consumer and the media moguls.
Unfortunately the genius in the SUV is completely oblivious to the lesson. I love seeing people swerve in and out of traffic trying to cut that extra 2 seconds off of their trip, only to be the car in front of you stopped at the same stoplight. They think they're hot stuff but they saved no time at all, and likely killed their fuel mileage with the quick accelerations to dart around all of the cars to get there.
Idiots...
You're close. The entire point of SSL is to ensure the user can trust that they're connecting to the correct server. Trusting the server itself and consequently those in control of the server is outside the scope of SSL. And paying Godaddy for a certificate doesn't change that.
What this whole discussion gets down to is phishers that register a close approximation of a bank's domain. The user is the one that actually types in the address or clicks a spam link to get to the site. The user typed in usbamk.com, and they got to the right server. SSL is correctly telling them that. What SSL is not telling them, and can never tell them, is that the owner of usbamk.com put up a page to look like usbank.com in order to scam the user out of their money. Nobody wants to take responsibility for their own muck-ups anymore. Why should everyone else have to deal with more inconveniences and fees because of them?
EV certificates are designed to take it up a step, that the company using the certificate has had some facts verified about it. I still think they're a solution looking for a problem. The big push showing how much more trust can be placed in EV certificates though is destroying the reputation of good old non-EV certificates. They are no less valid now that EV certificates are out there, but the big players are yelling the opposite.
With the way browsers are now handling non-monetarily-obtained certificates, using a self-signed or CAcert (or similar org) certificate is hard to do. How can you explain to Grandma that it is OK to go to your family's website when the browser she's been conditioned to trust is telling her the exact opposite? And now you purchase a $30 godaddy certificate, but the address bar is not showing the green icon and the same feeling of mistrust shows up.
We're catering to the least common denominator here. Those who don't use their common sense online are taking the fun out of it for those of us who do.
The thing is they shouldn't have to swallow $50 a year for something that should be free. And $50 for a non-profit organization that already may be up against a tight budget, that $50 takes away from something else they could have done.
What do you mean CAcert has no accountability? They have a web of trust in place that actually checks IDs person to person. Thats more than Verisign does. All they do is charge a credit card.
A CAcert server certificate does exactly what it says it should, that the owner/controller of the domain is in control of the server. It does not verify the personal integrety of the person running it. Of course a Verisign certificate says exactly the same thing but some money exchanged hands in order to say so. But you're trained to trust it more because "its always been that way."
Personally I think browsers should ship with no root certificates installed at all, and the user can seek out and install the ones they trust. Have you ever looked at the list of default roots in your browsers? Can you verify that every one of them does more verification than CAcert does?
CAcert is getting close to being audited so that their root will be included in browsers by default. Does that change your stance regarding trusting their server certificates? If not you're going to have to start remembering to remove their root from each browser installation. While in there how many more are you going to remove?
It bothers me seeing people put so much blind trust in Verisign and Thawte and the likes. To take it a step further, have you ever gone out to your bank's web site and written down the fingerprint of their signature and attempted to verify it at your bank? 99.9% out there will say no.
The point of an SSL certificate is to secure the communications line, and to ensure the entity you're communicating with now is the same one you communicated with previously. Intentions of the person/server you're communicating with is outside of the scope. No amount of money exchanging hands will change this fact, yet Verisign has obviously convinced a lot of people to the contrary.
I would argue that there is in fact a need to call. There will be several types of customers that would receive a call.
1. The customer who did not want to renew and has not done so purposefully. The will tell the caller "no" and may even ask to be placed on the company's Do Not Call list.
2. The customer who wanted to renew but forgot about it or for some other reason has not done so yet. They will be grateful to have received a reminder, especially with a discounted rate.
3. The customer who is on the fence and has not decided whether or not they were going to renew. Some will renew due to the discounted rate, while others may decide not to renew simply because of the bother of the phone call.
#2 and #3 above create the need for the calls. If everybody was a #1, the calls would stop. Obviously enough people find the calls useful enough (and therefore buy the product) to make the phone calls worth while.*
Of the magazine renewal call centers I have knowledge of, they typically have a "yes" rate of between 20% and 40% of the contacts made. The number of customers who get irate due to the call and/or ask to be placed on the do-not-call list is not even 1%.
As I said, I fully agree with you on cold calls (which the do-not-call lists do a very decent job of handling,) but the occasional offer from a company I already do business with is fine. 5-6 calls per year for a person who has 4-5 magazine subscriptions is really nothing to get worked up about. If calls bother a person that much, they really should have an unlisted number that they never give out to anybody but relatives and close friends and possibly their employer. With all of the free voicemail type of websites out there these days, there is really no excuse for someone getting upset because they gave their "real" number to a company that chooses to call them on it.
* Note that spam is sent around by the same logic, but the difference is most telemarketing firms do so responsibly such as honoring do-not-call lists. Spammers on the other hand go out of their way to make sure you get that spam whether you want it or not, even to the point of DDoSing anti-spam websites and products.
There are legit telemarketing companies. I know of a couple who call people regarding renewals of their magazine subscriptions. They are calling their existing customers who have not yet renewed, offering a discounted renewal rate if they renew before their subscription runs out.
I do believe you have a point that there are no legit cold-call telemarketing companies.
"You have to learn version control systems, the community, what constitutes "easy", you have to learn the scale and meaning of each piece of the project, you have to learn communication and moreso, you have to know enough to actually fix things."
Um... Every one of those attributes are key to a regular paid position as well. Any sort of company that has anything above an amateur programming team will be using version control of some sort. An as far as learning to communicate with the community and learn about the entire project, its just silly to suggest a person wouldn't be doing that in the workforce.
The first thing when I started a position with programming as part of the official job description was get set up on the revision control system (Subversion) and just start browsing the code. After I got familiarized with the overall project scope (what do these individual pieces of code do and how do they fit into the whole picture,) I was given some of the low-hanging fruit in the bugtracking system to tackle. Next I started grabbing tickets I thought would be simple for me to fix. I grew from there and now I am in charge of our biggest software project.
There are more similarities than differences between corporate and open-source programming. Heck, even in a corporate environment you may not have face-to-face contact with your fellow programmers with all the outsourcing going on.
Actually, it isn't a random door guard that happened to be walking by and decided to allow access into your home. It is a doorman (router) you hired (purchased) who gave you the choice of reading his contract (the user's guide) defining his default behavior, such as allowing anyone to enter if they ask (allow association and give IP upon request.) He also gave you a questionnaire (the web interface) to fill out if you want to change any of his default behavior. If you chose not to read the contract (manual) and/or have it reviewed by an attorney (friendly neighborhood geek) if you didn't understand it, who is actually to blame, the employer (owner) or the employee (router)? The employer (owner) has proxied the doorman (router) into "a position to decide absolutely who can and can't access the network" for them but they simply were not given a replacement "guest list" that doesn't say "everybody".
I have several access points at various locations that I am responsible for. If they're open, I don't care who uses them. If they're protected, you aren't allowed to use it. Its really a pretty simple concept.
Look at it in another way. Say I have a sprinkler set up in my front yard, and part of the spray goes over the property line. My neighbor decides to put a bucket in that spot to collect some of the water to pour on his garden. Do I have a right to be upset at my neighbor because he used the water that I allowed (either by negligence or design) to spray onto his property?
You may try to argue that the bucket is actually being passed onto my property in order to fill it since WiFi involves a 2 way signal. In that case, refer to my doorman example, the WiFi signal is being given explicit permission by your proxy, the router. This would be the same the neighbor asking your doorman if he can hang his bucket in the corner of your yard when you water since his hose won't reach out to his garden. Who should you hold responsible, your neighbor for not knowing that your doorman was not given proper instructions to deny your use of the water? Your doorman for not telling him "no" without explicitly asking you first? Or yourself for not giving your doorman proper instructions on who to allow use of the water?
I really don't see why people are making such a mountain out of this tiny little ant hill. In the end the setting in the access point still says "open" and the access point should be legally treated as such until such time that the setting is changed. Anything to the contrary is just someone not taking responsibility for their own screwup or their own unwillingness to do the proper research, which is in most cases as simple as reading the "quick start" guide.
Actually if you want to get technical, WiFi falls under part 15 of the FCC rules, meaning all WiFi devices must not cause interference to other devices, and the devices must accept an interference from other devices. In layman's terms (and without getting into the primary vs. secondary spectrum users,) you can't complain about somebody else's WiFi or cordless phone interfering with yours. While legally their device is not supposed to cause interference, you have to accept it without any legal recourse.
Your comment is spot-on though, if my WiFi is interfering with yours, please come see me and I'll help get it worked out so BOTH of us will have better signal. I've even made that easy, my street address and phone number make up my SSID.
Who says the phone companies want to stop spoofing? What they want is for customers to pay their bills.
This is a consumer protection bill and protecting the citizenry is raison d'etre of the government.
The government shouldn't be protecting me from myself. Laws are meant to protect me from what I can't protect myself from. For example, I can't stop someone from breaking into my house when I'm not home and stealing my valuables. I can do what I can (good locks, alarm, etc.) to help, but in the end if someone wants in they will get in. I also cannot prevent somebody without insurance running a red light and totaling my car. There are laws in place to help keep people from driving without insurance in the first place.
As for spoofed CallerID, who in their right mind would give any caller any personal information just based on what the CallerID said? Before CID, did people just give out any information to anyone who called saying they were the bank without verifying somehow that they were indeed who they said they were? Nope. The need to do that hasn't changed. I have to actively choose to make myself a victim by giving out that information, so protecting me at a government level is unnecessary.
It has already been mentioned by numerous other posters that the true ID information, ANI, is already available to the telcos and to investigating officers. Due to this fact anyone who does commit a crime using the telephone is going to leave a paper trail anyway. If they have the ability to get around the ANI tracking, asking them not to screw with CID is not going to do anything but make them chuckle. The fraudsters who commit crimes using CID spoofing are already breaking existing laws, there is absolutely no need to add another useless law to the already over-complicated lawbooks.
People need to stand up for themselves and force the phone companies to change. The telcos have already recovered the cost for the CID infrastructure many times over and is purely a profit item for them now. Rather than having Congress enact yet another law, why not tell the phone companies you don't like how the existing system works by canceling your CID service? You are exactly right in that the telcos want people to pay their bills, and if people stop subscribing to CID, do you think they'd just turn it off and accept the loss of $6.95/month per line? Nope, they'd sit down and realize they just lost a 100% margin product and redesign it to meet what people will pay for again. Do you keep subscribing to a magazine when you decide it doesn't provide the content you want but ask Congress to enact a law to change the format of the magazine? I certainly hope not.
I've read articles that say a large percentage (between 80 and 100 percent depending on where they live) of Americans go about their daily lives unknowingly breaking at least one law on a daily basis. As an example, in many states it is against the law for any kind of "reproductive attempt" that is not the plain old missionary style. How does it hurt society if my wife and I (yes, a married Slashdotter, try not to stare please) want to try a different position? Nope, I can't think of any reason either. Why is it even on the books?
I'm sick and tired of having more and more laws on the books, and spending more and more money (taxes) to enforce them. The founding fathers of our country threw a big party that had something to do with tea when their government was unfairly taxing them and pushing unnecessary and unfair laws on them. Each and every one of them are probably turning over in their respective graves when they see what this country has become.
Despite what Oprah may tell you, YOU are responsible for YOUR own actions. If you don't like it move to China or some other police-controlled nation and let the rest of us enjoy our freedom.
Dallas has whitepapers for their OneWire bus protocol that list doing just that. From what I've seen, it looks to be fairly simple as far as things go. With the required components being only a few pennies (or less) at any kind of quantity, it would be a piece of cake to implement this.
You are correct in that root's e-mail may not prove 100% ownership, but what method would be secure short of sending expert auditors* on-site to verify every detail possible and the security of such systems? My point was I feel it is just as safe in my opinion as the checking the big companies do, only far less expensive.
In order to get the domain name in the CN of a certificate, CAcert requires the person requesting the certificate to be personally verified by the web of trust (meeting at least 2 people for ID verification, except in special circumstances) which provides another level of verification before the domain is even brought into question. The person would need to convincingly fake their own ID before pulling off some type of technical hack to get access to the appropriate e-mail ping. Again, I'm not saying it can't be done, but is harder in my opinion than it would be to simply fake a credit card for the big guys.
Unfortunately there is no good answer, short of only trusting certificates for people/entities that you can personally verify as being valid.
Jeremy
* By expert auditors, I mean truely competent technical people who actually know what they are doing and care about the results, not a typical "make a showing just to say we did it" audit as it usually happens.
When you register your domain with CAcert, they give you the option of sending the message to any one of the following addresses at the requested domain: root, hostmaster, postmaster, admin, webmaster, or the addresses listed in the DNS record. If you have one of these address aliased or forwarded to another location, then the message will get through to the new location.
Since those addresses are administrative addresses, you shouldn't be forwarding them to a user or mail system you don't trust. You should also not be allowing non-admin users access to the aliasing of your mail, so they couldn't create their own alias.
In short, if you have lost control of these addresses on your domain, getting a certificate issued to your domain is not your biggest concern. If someone owns your box to this point, they probably have access to copy the private key used for the certificate you bought from BigNameExpensiveCA anyway. They could probably also swipe your database of credit cards, personal info, and any other info they want, making an attack using the certificate more trouble than it would be worth anyway.
What method would you trust beyond this? Charging a credit card issued to the person listed on the DNS records? This is pretty much what the BigNameExpensiveCAs do. Identity theft is so rampant these days that I wouldn't feel any safer if the "owner" were verified this way.
Jeremy
"So, the Internet is a *problem* for good parents who want to teach their children about the reality of sex, rather than the superficialities found in porn, and solutions are therefore required. And partial solutions are better than none."
:-) I plan to be open with them as to my expectations of what is allowed and not allowed, which is the hardest part. No matter how much work you and I put into making sure their home PCs are smut-safe (again, you and I would do a lot better job than most of the public mass,) there is nothing stopping them from going over to a friend's house whose parents installed a partial solution, or nothing at all. Heck, maybe even Little Johnny's cell phone on the schoolbus ride home at that point. This right there is why I have the desire to teach them right from wrong, so that when presented with the opportunity they will make the right choice.
:-)
I completely agree that there are different views and different "levels" of potential harm depending on what is seen. In general though, I feel that a partial solution has the potential to make many parents think they've done "enough" and leave it at that. You don't appear to be a parent in that category since you understand it is a partial solution. I've said for a long time that people are stupid. There are obviously individuals who are intelligent, but as a group, the average intelligence is way below par.
"You mention that you have two kids. How old are they? This topic is very much on my mind because my oldest is just entering puberty and my second isn't far behind (and actually has more questions and concerns). If yours are at the same point, I bow to your superior equanimity. I'm rather worried about the next few years."
My oldest is almost 4, and my youngest is just over 1, so I have a few years yet before I have to really start to worry. I didn't claim to be superior in any way, I was just pointing out the "perfect" situation. I'm going to strive to do my best to come somewhere near that but nobody is perfect.
My plans so far are as follows. My kids won't have an Internet conncted computer in their rooms. I have no problem with them having a computer in their room on the network, but they will be mac-address blocked at the router, with maybe some specific sites whitelisted to be allowed. More drastic measures will be taken if they figure out how to get around that.
When growing up, my parents did just that for me, taught me what was right and wrong. While Internet pr0n wasn't an option at the time, all the other things such as drugs and general delinquincy were always there. I never even had the desire to try any kind of illegal drug. I actually never had any alcohol to drink other than an occasional glass of wine at home in the evening, no drunken evenings for me. Not to say I didn't go to the parties, but just never had the desire to drink. I was never in trouble with the law or school administration, any of that. Maybe since I never had the desire I'm kidding myself as to the intentions of my kids. Only time will tell, and I hope both you and I are able to appropriately react and have kids that turn out somewhat normal.
Jeremy
This is the type of misunderstanding that is causing the controversy over the Blue Frog. The point of the Blue system was not to DDoS spammers' websites. The point was to submit one opt-out request for every spam received. The idea was to make the spammers' "sale" list so full of garbage that they had to start cleaning their lists so that the real sales would come through. Once the spammer stopped sending spam to Blue members, they could continue to spam to their heart's desire. They were not trying to drop any servers or anything like that.
In my opinion, this method of spam fighting had no collateral damage. No non-spam messages were ever dropped due to a false-positive match in a spam filter. No non-spam servers were mistakenly blacklisted in a RBL. The only issue here was caused by one of the spammers resorting to an illegal attack in retaliation of fed-up users requesting to be removed from their list. BlueSecurity is not to be blamed for the DDoS of the blog sites, etc.