Since C# never aimed to run on non-windows, it's also not a fair comparison of designs, because the goals were different.
Plain wrong. C# is a platform-agnostic language with a standards-defined specification [ecma-international.org]. The CLR and CIL specifications are also 100% platform independent.
You honestly think that Microsoft never making a non-windows part of the VM wasn't part of the Microsoft intention to make it a Windows language? The reality is that C# IS a Windows language. You're either very naive, or bending over backwards on a technicality.
The problem isn't not being able to see "the best guy". The problem is avoiding seeing the bottom 20-30 percent or so. Think about whatever profession you're in. Now think about the worst colleagues you've had (moron, headstrong, wrong most of the time, etc). You think the distribution is THAT much different in medicine?
Doctors may catch the obvious things, but when its not obvious, your life literally depends on who you happen to get lucky enough to see.
Choosing a doctor isn't luck. Do your research, get recommendations, and it helps a lot to not live in podunck. Then you have to do your OWN research if you get sick. Relying on the magic doctor to give you the right answer is a fools game. Any good GP will refer you to a specialist if you need it. Don't be afraid to ask for one yourself.
There's many ways to get good health care. None of them are based on luck.
It's shameful that the media coverage is merely a flashback back to 9/11, and I here nothing about the subsequent fear, paranoia, and loss of freedoms that have engulfed the country. It was certainly a horrible day, but the aftermath on our country has been tens of thousands of times worse.
We got into two wars that we're STILL it., We have this lovely patriot act, which continues to be renewed with little debate. We have a continually fearful public, cowed into submission to The Official Reaction. We have ever increasing security theatre at airports. But yet no coverage of any of that. It's all about the day, and nothing about the disaster afterward.
Most sites are hosted externally, usually with 2-3 parties involved per site. You need to go through all those hosters change / support systems, which might take hours but can also easily take days (if not weeks....)
Oh well. Now they pay the price of making something that's a few hours work into a game of telephone tag.
I actually don't really agree with you. No matter how much administrative gobbledygook you stack on top of each other, ultimately there's one, maybe two people per site that will actually do the work. If it's that big a deal, and a major site, with major inconveniences it just takes a few phone calls to the right people to get things done. Apply the right pressure to the right people, and things can get done rather quickly. How many sites really need SSL anyway? Does every little town in the Netherlands have an e-commerce site where people pay water bills, or renew car registration? If that's the case, that's a much larger waste than this silly SSL cert thing.
The point of an award like this is to say 'you are technically in the right as a point of law, but you shouldn't actually win, no go home.'
As I understand it, the appeal was about the amount of damages awarded, and had nothing to do with who was "correct". The point of the $3 was essentially "I can't rule on who was correct, since that's not being disputed. I can rule that you've shown no damages at all, so I'm awarding you $1 per claim, the minimum I'm allowed to award."
But there are a *lot* of sites. A lot of municipalities use certificates issues by Diginotar as well.
Big deal. Certs are renewed every year or two anyway. All they need to do is call up whoever handles that sort of thing and get a new cert. If your local municipality doesn't have SSL for a day or two it's hardly a major disaster. Replacing a cert is very easy. I'll bet there's a million people around the world that could do it in a pinch, myself included.
The spammers still won... Sure it's only 3 dollars
I'm not sure you quite understand civil lawsuits. Lawsuits are about one thing. Money. Money you win, and money you cost the other party. They're never about "winning". This isn't a chess game.
A $3 judgement is a total failure. Why? Spamhaus decided to not fight the lawsuit, largely because they didn't believe the US courts held any jurisdiction over a UK operation. So the initial judgement was a default one against them. The judge coming back with a $3 damage assessment is as good as he could have done to smack this idiotic lawsuit down.
You really need at least two servers for fail-over and simply the ability to down one while you update the other. (And those two should be geographically separated so power outages don't take out both, etc.)
Honestly, why would you go to that extreme for your own personal email? Do you have that level of redundancy for other pieces of equipment, like your car?
I've hosted my own email for the past 15 years, and I simply don't see the problem you're describing at all. Spam is well handled by spamassassin. I've never had blacklisting or DNS issues. With just YOU controlling everything, and not multiple people, the change management problems are minimal. If you choose software with a proven track record, then the security problems become minimal. Install all your software from a linux distribution with multi-year support, turn on auto-updates, and the security problems mostly go away from all but the most dedicated and skilled attackers. You're a lot less juicy of a target than say Google, so the skilled attackers don't really care about you anyway. If it's just YOUR email, then the people getting bitchy is just you. I'd never host email for someone else. The only real issues are when the internet connection is down. Even then, you can get to any old mail, but new mail obviously doesn't come in. Even that you could fix with a low priority mx record pointed to a gmail account.
The one thing I would caution is you need to know what the hell you're doing. The OP said he was "a hobbiest and not a system admin". Well, if you want to host your own email, you'll soon learn the skills to be a real system administrator, (or give up and go back to hosting).
And I repeat: that's human error And I dispute whether we could have a "system of trust" that is very much superior, because every time we have tried to set up a "secure" system, people have ALWAYS been the point of failure.
The point you're missing is that all failures are equal, or that the goal of designing any system is to make it perfect, or foolproof.
That's never the goal of security. The goal is always to reduce risk. No security is perfect. All security can be broken with sufficient resources. Just get Furio and a rubber hose, and I guarantee you your security system will quickly be broken.
If you want to get into specifics, a simple example would be redesigning SSL so that you'd need at least 4 signatures on your SSL cert from 4 different companies not owned by the same parent. How could that not be more secure (less risk) than requiring only 1?
To perform a MITM attack you have to be able to send out data on the channel, and not just be passively listening. This isn't always possible, and represents a higher degree of risk of being caught than a passive listening attack.
You can also buy automated lock pickers that make lock picking relatively easy. Battering rams, crowbars, and bricks through windows are cheap too. Does that mean doors and locks are useless?
As someone else already pointed out, browsers by default do not even warn you if a site's cert is invalid.
Completely wrong. Browsers have by default warned about invalid certs for years. Versions of Firefox and IE made in the last several years have actually gotten scarier warning messages, and made it more difficult to get to the website without going through a few steps other than just a simple "click here to continue". Expired certs also give warning messages.
That same study concluded that there are too many Certificate Authorities today....
It's a broken system. Not because of bad design, necessarily, but because of the failures of people who administer it.
No, it's a broken system because it's a bad design. The problem isn't "too many certificate authorities". The problem is that the weakest certificate authority spoils the whole system. There's always going to be some bad companies doing something incredibly stupid. There's a slew of different ways we could have a web of trust that would be far more secure than the weakest-link system we have now.
She sees the little "lock" icon, doesn't get a confusing certificate warning message, and is happy to make her purchase on the scams-r-us website because, "Golly-gee! It's $800 less on THIS website!"
SSL certificates aren't intended to ensure that you're running a legitimate business. How could they? The only function of an SSL certificate is to provide a decent amount of assurance that the cert being presented to you is actually coming from the website displayed in your browsers address window. That in turn means the communication between you, and that server has a high degree of protection from being intercepted by a third party. That's it. I can't give a damn. I'm going to have to buy the certificate to appease buyers anyway, so debating the future is moot and I might as well put up with whatever changes they decide to make in the future.
What they're debating would likely affect both the price you pay, and the number of certs you'd have to buy. The summary (and no article) doesn't provide much detail. If you believe the summary, then I'd expect prices to rise for a cert, since the "domain only" validation is cheaper. WIldcard certs allow a domain to have only one cert and use it in multiple places rather than having to be issued multiple certs for each subdomain, or differently named server.
It shouldn't come as a surprise to anyone with more than 3 brain cells that if someone breaks into your server, then you're no longer secure. The identity function of certs is 100% bullshit -- and it's always been bullshit.
If by "identity" you mean that with a moderate degree of reliability that the cert claiming to come from www.johnsonandjohnsoncorp.com was actually issued at some point to the legit owner of www.johnsonandjohnsoncorp.com, then I have to disagree with you completely. It's not perfect though. Cert issuers have issued certs to the wrong entity. There's been bugs in browsers, etc. I'm sure you could smash down my locked door, or pick the lock, but nobody would say locks are "100% bullshit", and merely marketing from lock makers.
If by "identity" you mean that that same cert actually came from Johnson & Johnson, the people who make band-aid brand band-aids, then you're completely correct.
If you can't verify identity on an insecure channel, encryption is useless, as you could be taking to a man-in-the-middle who just takes the traffic from each end
Useless is a strong word for it. In practice, performing the man-in-the-middle attack is far more difficult than simple passive listening on traffic. So I'd say even an unauthenticated encrypted channel is preferable to one in the clear. Hardly useless.
Today's machines are over a hundred times faster than they were 10 years ago
The raw CPU power times the amount of cores is 100 times faster. How much faster is the I/O? Serving up web pages is mostly about I/O. I/O from the memory, I/O from the database, I/O to the end user. The CPU is usually a small part of it.
You actually sound like a perfect example of what the article is talking about. People who don't understand where the bottlenecks lie. Hell, it even mentioned the misunderstanding of the I/O bottlneck that exists today.
We prioritized their jobs over market efficiency. Consequently in the 90s and 00s when a certain country stepped forward who was willing to play hardball in the labor market, a lot of those jobs ended up moving over there.
We did? What law protects workers from automation? There's plenty of automated manufacturing in the US. Your claim that the US hasn't invested in efficiency is made up out of thin air. Care to provide any references?
Do you really think THIS is the time to be worrying about our debt?
If we're talking about actually fixing any real problems, of course not. But the Republicans don't want to do that, they want Obama out of office, and the republicans to control congress. Fixing the economy would only help the democrats at this point. I'm sure SOME of them are reasonable people, but the problem is that the Republican party has become incredibly narrowly defined by a set of mantras. Low Low taxes. Liberals are destroying America. Tax increases destroy jobs. Whatever America does is right. What Republicans do is unquestionably right, so never be critical of a fellow republican. Stray outside of these narrow boundaries, and be prepared to be attacked by the Republican mob. Look at what happened to Newt Gingrich.
The truth is we couldn't afford the Bush tax cuts of a decade ago, and we can't afford all these dumb wars we've gotten ourselves into. The Republicans are too idealistic and painted into a corner to actually address either of these major issues with anything other than their standard mantras. The democrats aren't united enough to send simple enough messages to counter the Republican spin machine. Too many people actually believe this nonsense about raising taxes on the wealthy will "kill jobs", and the Democrats have done a very very poor message at countering that idea. How hard would it be to point to the Clinton years tax rate (higher), the unemployment rate (lower) and put an end to this crap about how high taxes "kill jobs"? If they did the same thing the Republicans did, and repeat the same message over and over, they might have some influence.
Why wouldn't it have been more fair to accept both groups?
It likely would have been more fair. But the law only allows for a certain amount of green cards to be issued. The law still usually trumps "fairness".
Also, isn't int true that the order in which the applicants were filed was completely random?
The point is really more that the applicants can't be predicted with any certainty, and no "favoritism" exists in the system. This is to promote fairness to everyone. Given the system of "the people who applied in the first 2 days are far more likely to get picked than anyone else" If you have a faster internet connection than me, or happen to have one or both of those days off work when the pool opens, or a dozen other things related to the time, then you're more likely than me to get picked than I am. The sample is then biased towards those people.
So I'd argue that that's not a random sampling, it's a biased sampling.
Are you trying to argue that words can't have multiple meanings? Language is evolving all the time, and it's not controlled by one group of people. Context matters, and in this case the context wasn't a botanical one. People don't treat tomatoes like fruit, they treat it like a vegetable. This is legislation, not a scientific paper in botany.
Every computer programmer knows that any random number he generates programmatically is not "mathematically random".
Perhaps very bad, or at least ignorant computer programmers think this. The good ones know about things such as "hardware random number generators", which generate random random numbers using thermal noise, which is random at the quantum level. These are built into many chipsets, and are hardly considered exotic. I've got one myself in a cheap VIA motherboard. QM could be wrong of course, anything in science can be. If you think you can predict thermal noise, or some other quantum phenomenon, I guarantee there's a nobel prize in it for you if you're correct. If you're really holding out for that without any evidence to support it, then the conversation is essentially over.
We can possibly debate on whether other sources of randomness (keyboard timings, network latency packets, etc) are truly unpredictable. That's not something I have any special knowledge of. But you're quite wrong if you think that nothing is truly random. Our current theories about how the universe works would say that the lowest level of everything IS random and unpredictable.
So, again... what is the likelihood an expert witness would claim a fire was arson at a trial?
You're missing the point. Of course arson investigators hired by the government are going to testify that arson occurred more often than they say it was accidental. The point is that arson investigations are often conducted by people totally unqualified to do so.
I saw the Frontline episode the OP is talking about. One of the many points it tries to bring home is that fire investigators in many states don't have any scientific training in how fires spread, and are more often than not just experienced fire-fighters "with a hunch". They haven't conducted scientific studies on fire, don't have degrees in science, and have little more knowledge about fire than simply having experience. Experience without theory, and rigor is little more than a series of anecdotes. Frontline showed the opinion of an ACTUAL expert (with scientific training, academic study, and experimental evidence) who said it was quite obvious that the fire was accidental if you've studied how fires happen.
Now it so happens that this was a jury trial, so the judge had little or no involvement in deciding whether the fire investigator was qualified or not. So this isn't a particularly good counter-example of a judge making a bad ruling.
Slashdot Mirror
Plain wrong. C# is a platform-agnostic language with a standards-defined specification [ecma-international.org]. The CLR and CIL specifications are also 100% platform independent.
You honestly think that Microsoft never making a non-windows part of the VM wasn't part of the Microsoft intention to make it a Windows language? The reality is that C# IS a Windows language. You're either very naive, or bending over backwards on a technicality.
The problem isn't not being able to see "the best guy". The problem is avoiding seeing the bottom 20-30 percent or so. Think about whatever profession you're in. Now think about the worst colleagues you've had (moron, headstrong, wrong most of the time, etc). You think the distribution is THAT much different in medicine?
Doctors may catch the obvious things, but when its not obvious, your life literally depends on who you happen to get lucky enough to see.
Choosing a doctor isn't luck. Do your research, get recommendations, and it helps a lot to not live in podunck. Then you have to do your OWN research if you get sick. Relying on the magic doctor to give you the right answer is a fools game. Any good GP will refer you to a specialist if you need it. Don't be afraid to ask for one yourself.
There's many ways to get good health care. None of them are based on luck.
It's shameful that the media coverage is merely a flashback back to 9/11, and I here nothing about the subsequent fear, paranoia, and loss of freedoms that have engulfed the country. It was certainly a horrible day, but the aftermath on our country has been tens of thousands of times worse.
We got into two wars that we're STILL it., We have this lovely patriot act, which continues to be renewed with little debate. We have a continually fearful public, cowed into submission to The Official Reaction. We have ever increasing security theatre at airports. But yet no coverage of any of that. It's all about the day, and nothing about the disaster afterward.
Most sites are hosted externally, usually with 2-3 parties involved per site. You need to go through all those hosters change / support systems, which might take hours but can also easily take days (if not weeks....)
Oh well. Now they pay the price of making something that's a few hours work into a game of telephone tag.
I actually don't really agree with you. No matter how much administrative gobbledygook you stack on top of each other, ultimately there's one, maybe two people per site that will actually do the work. If it's that big a deal, and a major site, with major inconveniences it just takes a few phone calls to the right people to get things done. Apply the right pressure to the right people, and things can get done rather quickly. How many sites really need SSL anyway? Does every little town in the Netherlands have an e-commerce site where people pay water bills, or renew car registration? If that's the case, that's a much larger waste than this silly SSL cert thing.
The point of an award like this is to say 'you are technically in the right as a point of law, but you shouldn't actually win, no go home.'
As I understand it, the appeal was about the amount of damages awarded, and had nothing to do with who was "correct". The point of the $3 was essentially "I can't rule on who was correct, since that's not being disputed. I can rule that you've shown no damages at all, so I'm awarding you $1 per claim, the minimum I'm allowed to award."
But there are a *lot* of sites. A lot of municipalities use certificates issues by Diginotar as well.
Big deal. Certs are renewed every year or two anyway. All they need to do is call up whoever handles that sort of thing and get a new cert. If your local municipality doesn't have SSL for a day or two it's hardly a major disaster. Replacing a cert is very easy. I'll bet there's a million people around the world that could do it in a pinch, myself included.
The spammers still won... Sure it's only 3 dollars
I'm not sure you quite understand civil lawsuits. Lawsuits are about one thing. Money. Money you win, and money you cost the other party. They're never about "winning". This isn't a chess game.
A $3 judgement is a total failure. Why? Spamhaus decided to not fight the lawsuit, largely because they didn't believe the US courts held any jurisdiction over a UK operation. So the initial judgement was a default one against them. The judge coming back with a $3 damage assessment is as good as he could have done to smack this idiotic lawsuit down.
You really need at least two servers for fail-over and simply the ability to down one while you update the other. (And those two should be geographically separated so power outages don't take out both, etc.)
Honestly, why would you go to that extreme for your own personal email? Do you have that level of redundancy for other pieces of equipment, like your car?
I've hosted my own email for the past 15 years, and I simply don't see the problem you're describing at all. Spam is well handled by spamassassin. I've never had blacklisting or DNS issues. With just YOU controlling everything, and not multiple people, the change management problems are minimal. If you choose software with a proven track record, then the security problems become minimal. Install all your software from a linux distribution with multi-year support, turn on auto-updates, and the security problems mostly go away from all but the most dedicated and skilled attackers. You're a lot less juicy of a target than say Google, so the skilled attackers don't really care about you anyway. If it's just YOUR email, then the people getting bitchy is just you. I'd never host email for someone else. The only real issues are when the internet connection is down. Even then, you can get to any old mail, but new mail obviously doesn't come in. Even that you could fix with a low priority mx record pointed to a gmail account.
The one thing I would caution is you need to know what the hell you're doing. The OP said he was "a hobbiest and not a system admin". Well, if you want to host your own email, you'll soon learn the skills to be a real system administrator, (or give up and go back to hosting).
And I repeat: that's human error And I dispute whether we could have a "system of trust" that is very much superior, because every time we have tried to set up a "secure" system, people have ALWAYS been the point of failure.
The point you're missing is that all failures are equal, or that the goal of designing any system is to make it perfect, or foolproof.
That's never the goal of security. The goal is always to reduce risk. No security is perfect. All security can be broken with sufficient resources. Just get Furio and a rubber hose, and I guarantee you your security system will quickly be broken.
If you want to get into specifics, a simple example would be redesigning SSL so that you'd need at least 4 signatures on your SSL cert from 4 different companies not owned by the same parent. How could that not be more secure (less risk) than requiring only 1?
You have a ridiculously high standard for protecting against MITM attacks.
What you need to understand is that security has always been, and always will be about making attacks harder to do, not impossible.
To perform a MITM attack you have to be able to send out data on the channel, and not just be passively listening. This isn't always possible, and represents a higher degree of risk of being caught than a passive listening attack.
You can also buy automated lock pickers that make lock picking relatively easy. Battering rams, crowbars, and bricks through windows are cheap too. Does that mean doors and locks are useless?
As someone else already pointed out, browsers by default do not even warn you if a site's cert is invalid.
Completely wrong. Browsers have by default warned about invalid certs for years. Versions of Firefox and IE made in the last several years have actually gotten scarier warning messages, and made it more difficult to get to the website without going through a few steps other than just a simple "click here to continue". Expired certs also give warning messages.
That same study concluded that there are too many Certificate Authorities today....
It's a broken system. Not because of bad design, necessarily, but because of the failures of people who administer it.
No, it's a broken system because it's a bad design. The problem isn't "too many certificate authorities". The problem is that the weakest certificate authority spoils the whole system. There's always going to be some bad companies doing something incredibly stupid. There's a slew of different ways we could have a web of trust that would be far more secure than the weakest-link system we have now.
She sees the little "lock" icon, doesn't get a confusing certificate warning message, and is happy to make her purchase on the scams-r-us website because, "Golly-gee! It's $800 less on THIS website!"
SSL certificates aren't intended to ensure that you're running a legitimate business. How could they? The only function of an SSL certificate is to provide a decent amount of assurance that the cert being presented to you is actually coming from the website displayed in your browsers address window. That in turn means the communication between you, and that server has a high degree of protection from being intercepted by a third party. That's it.
I can't give a damn. I'm going to have to buy the certificate to appease buyers anyway, so debating the future is moot and I might as well put up with whatever changes they decide to make in the future.
What they're debating would likely affect both the price you pay, and the number of certs you'd have to buy. The summary (and no article) doesn't provide much detail. If you believe the summary, then I'd expect prices to rise for a cert, since the "domain only" validation is cheaper. WIldcard certs allow a domain to have only one cert and use it in multiple places rather than having to be issued multiple certs for each subdomain, or differently named server.
I break into your server. I take your cert.
It shouldn't come as a surprise to anyone with more than 3 brain cells that if someone breaks into your server, then you're no longer secure.
The identity function of certs is 100% bullshit -- and it's always been bullshit.
If by "identity" you mean that with a moderate degree of reliability that the cert claiming to come from www.johnsonandjohnsoncorp.com was actually issued at some point to the legit owner of www.johnsonandjohnsoncorp.com, then I have to disagree with you completely. It's not perfect though. Cert issuers have issued certs to the wrong entity. There's been bugs in browsers, etc. I'm sure you could smash down my locked door, or pick the lock, but nobody would say locks are "100% bullshit", and merely marketing from lock makers.
If by "identity" you mean that that same cert actually came from Johnson & Johnson, the people who make band-aid brand band-aids, then you're completely correct.
If you can't verify identity on an insecure channel, encryption is useless, as you could be taking to a man-in-the-middle who just takes the traffic from each end
Useless is a strong word for it. In practice, performing the man-in-the-middle attack is far more difficult than simple passive listening on traffic. So I'd say even an unauthenticated encrypted channel is preferable to one in the clear. Hardly useless.
Today's machines are over a hundred times faster than they were 10 years ago
The raw CPU power times the amount of cores is 100 times faster. How much faster is the I/O? Serving up web pages is mostly about I/O. I/O from the memory, I/O from the database, I/O to the end user. The CPU is usually a small part of it.
You actually sound like a perfect example of what the article is talking about. People who don't understand where the bottlenecks lie. Hell, it even mentioned the misunderstanding of the I/O bottlneck that exists today.
We prioritized their jobs over market efficiency. Consequently in the 90s and 00s when a certain country stepped forward who was willing to play hardball in the labor market, a lot of those jobs ended up moving over there.
We did? What law protects workers from automation? There's plenty of automated manufacturing in the US. Your claim that the US hasn't invested in efficiency is made up out of thin air. Care to provide any references?
Do you really think THIS is the time to be worrying about our debt?
If we're talking about actually fixing any real problems, of course not. But the Republicans don't want to do that, they want Obama out of office, and the republicans to control congress. Fixing the economy would only help the democrats at this point. I'm sure SOME of them are reasonable people, but the problem is that the Republican party has become incredibly narrowly defined by a set of mantras. Low Low taxes. Liberals are destroying America. Tax increases destroy jobs. Whatever America does is right. What Republicans do is unquestionably right, so never be critical of a fellow republican. Stray outside of these narrow boundaries, and be prepared to be attacked by the Republican mob. Look at what happened to Newt Gingrich.
The truth is we couldn't afford the Bush tax cuts of a decade ago, and we can't afford all these dumb wars we've gotten ourselves into. The Republicans are too idealistic and painted into a corner to actually address either of these major issues with anything other than their standard mantras. The democrats aren't united enough to send simple enough messages to counter the Republican spin machine. Too many people actually believe this nonsense about raising taxes on the wealthy will "kill jobs", and the Democrats have done a very very poor message at countering that idea. How hard would it be to point to the Clinton years tax rate (higher), the unemployment rate (lower) and put an end to this crap about how high taxes "kill jobs"? If they did the same thing the Republicans did, and repeat the same message over and over, they might have some influence.
Why wouldn't it have been more fair to accept both groups?
It likely would have been more fair. But the law only allows for a certain amount of green cards to be issued. The law still usually trumps "fairness".
Also, isn't int true that the order in which the applicants were filed was completely random?
The point is really more that the applicants can't be predicted with any certainty, and no "favoritism" exists in the system. This is to promote fairness to everyone. Given the system of "the people who applied in the first 2 days are far more likely to get picked than anyone else" If you have a faster internet connection than me, or happen to have one or both of those days off work when the pool opens, or a dozen other things related to the time, then you're more likely than me to get picked than I am. The sample is then biased towards those people.
So I'd argue that that's not a random sampling, it's a biased sampling.
And the supreme court made the right call.
Are you trying to argue that words can't have multiple meanings? Language is evolving all the time, and it's not controlled by one group of people. Context matters, and in this case the context wasn't a botanical one. People don't treat tomatoes like fruit, they treat it like a vegetable. This is legislation, not a scientific paper in botany.
Every computer programmer knows that any random number he generates programmatically is not "mathematically random".
Perhaps very bad, or at least ignorant computer programmers think this. The good ones know about things such as "hardware random number generators", which generate random random numbers using thermal noise, which is random at the quantum level. These are built into many chipsets, and are hardly considered exotic. I've got one myself in a cheap VIA motherboard. QM could be wrong of course, anything in science can be. If you think you can predict thermal noise, or some other quantum phenomenon, I guarantee there's a nobel prize in it for you if you're correct. If you're really holding out for that without any evidence to support it, then the conversation is essentially over.
We can possibly debate on whether other sources of randomness (keyboard timings, network latency packets, etc) are truly unpredictable. That's not something I have any special knowledge of. But you're quite wrong if you think that nothing is truly random. Our current theories about how the universe works would say that the lowest level of everything IS random and unpredictable.
So, again... what is the likelihood an expert witness would claim a fire was arson at a trial?
You're missing the point. Of course arson investigators hired by the government are going to testify that arson occurred more often than they say it was accidental. The point is that arson investigations are often conducted by people totally unqualified to do so.
I saw the Frontline episode the OP is talking about. One of the many points it tries to bring home is that fire investigators in many states don't have any scientific training in how fires spread, and are more often than not just experienced fire-fighters "with a hunch". They haven't conducted scientific studies on fire, don't have degrees in science, and have little more knowledge about fire than simply having experience. Experience without theory, and rigor is little more than a series of anecdotes. Frontline showed the opinion of an ACTUAL expert (with scientific training, academic study, and experimental evidence) who said it was quite obvious that the fire was accidental if you've studied how fires happen.
Now it so happens that this was a jury trial, so the judge had little or no involvement in deciding whether the fire investigator was qualified or not. So this isn't a particularly good counter-example of a judge making a bad ruling.