They don't. You can lie. There are a quite a few Facebook profiles for fictional characters. I know a few people who only list their first name and last initial. But that's not the point. If you have a Facebook profile it is because you want people to be able to find it and contact you. Lying about your name would just be pointless, especially if you are signed up on a college network which will list your.edu e-mail address which could be easily looked up in a directory anyway. I have no problem with pesudo-anonymous social networking, but that is not what Facebook is for.
This may or may not be the exact article you are referencing, but Joel on Software covered rewriting from scatch. Of course, when I think "complete rewrite", I think of pretty much what Joel describes himself doing.
You seem to misunderstand what formal systems are. This is not surprising; they are a complicated abstract concept which are not likely not explained in school below a graduate level course. I recommend reading Godel, Escher, Bach (silly/. formatting, that o should have an umlat). Hofstadter does a good job of explaining them, although I disagree with him on some details.
Specifically, you have cause and effect backwards: "zero" and "successor" are not words whose definitions are needed to understand the axioms; "zero" and "successor" are implicitly defined by the axioms. The formal system of Peano Arithmetic is useful because it happens to use the words "zero" and "successor" in a way that fits with our natural understanding of those words.
There's something wrong here. Either there is not enough food where it needs to be so there are unfilled jobs which would provide that or there are just enough people working already and there is just not any more work that needs to be done. Oh, well. If you want more people to work in that situation, then decrease working hours. It seems rather silly to say "All the work is getting done, but we do not have enough people working."
This article, which I believe I found off a comment from the previous/. article on this topic, discusses a sane way to handle a TLD free-for-all, which actually sounds like it could be better than the current system. Of course, ICANN will likely opt for the profitable way not the sane way if the general consensus on/. about ICANN's greed is at all accurate.
Yeah, domains in the other order like on usenet would make more sense, but it is quite a few years too late for that.
HTTP already has a way to handle languages: the Accept-Language header (section 14.4 of that link). Country TLDs make sense because a website may be associated with a specific country, but unless.en is for websites about English, it does not make any sense.
I am not expert on cryptography. If you want a full picture, I recommend reading Wikipedia. Not that it was necessarily written by experts either, but at least it is edited and has an awful lot of information and links. Some good starting points would probably be Public-key cryptography, Digital signature, Man-in-the-middle attack, Transport Layer Security.
That said, I will answer your questions.
1. Yes, you need to have the public keys. A MITM attack involves lying about what the public keys are because the browser has to get them from the HTTPS server. Which brings us to question 2.
2. The certificate is a digital signature of the server's public key signed by some trusted agency (ex. Verisign). Verisign's public key is distributed with your browser so your browser is able to verify the signature. Of course, your browser was probably downloaded via an unencrypted HTTP connection, so that could have been MITM'd in theory.
Because provides no protection against man-in-the-middle attacks, so someone who actually wants to read your communications would have little trouble doing so. Of course, there is the catch that they would have to actually be in the middle when the encryption keys are exchanged, and then actively re-encrypt each packet going each way (because the attack basically means the attacker acts as a proxy for the server to the client and as a proxy for the client to the server). This is obviously a lot more work than dumping traffic onto a disk with some filtering for review later, which is already a rather daunting task with the amount of traffic on the internet.
That said, I agree: there should be some way to encrypt HTTP sessions with a self-signed cert (self-signed means that the user can know that they are accessing the same server they did las t time) and no warning: it just should not display the same lock icon because it does not offer the same level of security.
Also running in an emulated environment just doesn't cut it - it could be possible but WINE just can't do it for some games.
WINE support for games seems pretty good overall. If developers cared about Linux support they could probably compile against libwine and fix whatever problems occured, but that involves a lot of extra effort to test and support it.
Both methods are intended to protect passwords, not sessions. Assuming MD5 is sufficiently secure - which it is believed to be for this purpose despite some attacks on it because both methods use a challenge string which is somehow concatenated with the password - someone reading the traffic would be unable to get the user's password and therefore unable to login as them.
On the other hand, the LJ method does not prevent session hijacking by reading the traffic, copying the cookie, and using it before the user logs off or their session expires. LJ does have an optional security measure to allow access from only your own IP, but if an attacker is already reading your traffic, they are probably also on the same network as you so they could send packets as from your IP.
Digest auth goes a bit further and authenticates on every request with the request URI as part of the hash, so an attacker could change submitted POST data or pages sent to the client in attempt to hijack the session, but could not simply steal it and browse any page. That is, the attacker has to be actively changing the communication between the client and server to even hijack a session while with LJ's auth (and in general most auth on unencrypted websites) they only need to read the cookies.
Both methods make no attempt to hide the content of the website or information sent to the website; that's what HTTPS is for. They only make it nearly impossible to steal passwords and make it difficult to hijack another user's session.
Some sites already do this, although not with RSA, but with MD5 or some other cryptographic hash, of which there exist JavaScript implementations which are plenty fast. See the LiveJournal login page. There is also HTTP digest authentication, but that requires browser support and users are used to typing their user/pass into an HTTP form, not using HTTP auth.
As others have said, Firefox using less RAM means you have more left over for other programs. Also, "unused" RAM is used for caching files from the hard drive, so your computer has less need to actually access the hard drive.
an 8kbps voice codec typically takes 24-28kbps of IP if you don't encrypt it, and maybe double if you do.
As I understand modern encryption, it adds overhead to creating the connection because encryption keys have to be shared before encrypted data can be sent, but the actual encryption is done with a cipher such that it takes up the same amount of space encrypted as decrypted, so it does not cause a size overhead on the main data transfer. Then again, if it changes keys often or is doing something else special, then maybe it would cause that much overhead.
A lot of people seem to misunderstand Asimov's Laws of Robotics. They are not a suggestion for what laws real robots should follow. They are used to demonstrate that no simple set of rules could possibly make robots "safe". See the Wikipedia article, which mentions that.
At this point in history I'd like to see an open source email client that automatically uses nsa-grade encryption. Make it dead simple & make it default. Basically this will be necessary to ensure freedom since corporate controlled government has no further use for it.
The problem with making encryption simple is that, as far as I know, there is no way to make encryption easy without also making man-in-the-middle attacks easy or involving a certificates agency collecting money and verifying IDs. Users need to be somehow involved in key exchange in the current models.
A partial work-around is that instead of end-to-end encryption, use currently existing support for encrypting all of the links. Require clients to use the encrypted versions of the protocols to connect to the mail server. Have the mail servers communicate with each other using encrypted methods. It is not completely secure, but then in order to read an e-mail you would need access to one of the mail servers it passed through, which is a lot better than the current state of merely needing access to one of the routers it passes through.
Needing MS Office is a bad reason to switch away from Linux. It runs quite well on wine.
Personally, I do not use either because latex covers almost everything I would use an Office suite for. In the rare occasion I need a spreadsheet, I use gnumeric because it works a lot better than OOo Calc. That said, Excel is a great piece of software. A good replacement for it would be quite a project.
As I understand it the "singularity" is specifically referring what happens to technology after the creation of the first strong AI. The singularity theorists believe that (1) strong AI is possible and (2) will happen within our lifetime and (3) the creation of strong AI will cause an explosion of technological advancement. I have seen comments disputing all three with various reasonable arguments (it sounds like you would focus on attacking (3)), but please understand what you are talking about before dismissing it as ridiculous.
I believe the problem with that is that every window needs access to the same cookies, etc. in case you have two windows accessing the same website. There are probably other difficulties as well.
I agree with the sibling poster: links is good if you want a browser that acts like a GUI browser and is good with a mouse. I prefer lynx to links because if I am using a text-based browser, I usually want to control it with the keyboard, and I find lynx works better for that.
P.S. Oddly enough, my CAPTCHA today is "strategy". Intelligence perhaps?
Yes, actually Slashdot has a learning algorithm where it uses the topic and thread to determine which word to use for the CAPTCHA and checks the post for references to the CAPTCHA to see if it guessed correctly. Eventually this will evolve into autotagging and the ability of Slashdot to respond to comments on its own followed shortly thereafter by the Slashdot webserver achieving sentience.
Slashdot Mirror
They don't. You can lie. There are a quite a few Facebook profiles for fictional characters. I know a few people who only list their first name and last initial. But that's not the point. If you have a Facebook profile it is because you want people to be able to find it and contact you. Lying about your name would just be pointless, especially if you are signed up on a college network which will list your .edu e-mail address which could be easily looked up in a directory anyway. I have no problem with pesudo-anonymous social networking, but that is not what Facebook is for.
This may or may not be the exact article you are referencing, but Joel on Software covered rewriting from scatch. Of course, when I think "complete rewrite", I think of pretty much what Joel describes himself doing.
You seem to misunderstand what formal systems are. This is not surprising; they are a complicated abstract concept which are not likely not explained in school below a graduate level course. I recommend reading Godel, Escher, Bach (silly /. formatting, that o should have an umlat). Hofstadter does a good job of explaining them, although I disagree with him on some details.
Specifically, you have cause and effect backwards: "zero" and "successor" are not words whose definitions are needed to understand the axioms; "zero" and "successor" are implicitly defined by the axioms. The formal system of Peano Arithmetic is useful because it happens to use the words "zero" and "successor" in a way that fits with our natural understanding of those words.
There's something wrong here. Either there is not enough food where it needs to be so there are unfilled jobs which would provide that or there are just enough people working already and there is just not any more work that needs to be done. Oh, well. If you want more people to work in that situation, then decrease working hours. It seems rather silly to say "All the work is getting done, but we do not have enough people working."
This article, which I believe I found off a comment from the previous /. article on this topic, discusses a sane way to handle a TLD free-for-all, which actually sounds like it could be better than the current system. Of course, ICANN will likely opt for the profitable way not the sane way if the general consensus on /. about ICANN's greed is at all accurate.
Yeah, domains in the other order like on usenet would make more sense, but it is quite a few years too late for that.
HTTP already has a way to handle languages: the Accept-Language header (section 14.4 of that link). Country TLDs make sense because a website may be associated with a specific country, but unless .en is for websites about English, it does not make any sense.
I am not expert on cryptography. If you want a full picture, I recommend reading Wikipedia. Not that it was necessarily written by experts either, but at least it is edited and has an awful lot of information and links. Some good starting points would probably be Public-key cryptography, Digital signature, Man-in-the-middle attack, Transport Layer Security.
That said, I will answer your questions.
1. Yes, you need to have the public keys. A MITM attack involves lying about what the public keys are because the browser has to get them from the HTTPS server. Which brings us to question 2.
2. The certificate is a digital signature of the server's public key signed by some trusted agency (ex. Verisign). Verisign's public key is distributed with your browser so your browser is able to verify the signature. Of course, your browser was probably downloaded via an unencrypted HTTP connection, so that could have been MITM'd in theory.
Because provides no protection against man-in-the-middle attacks, so someone who actually wants to read your communications would have little trouble doing so. Of course, there is the catch that they would have to actually be in the middle when the encryption keys are exchanged, and then actively re-encrypt each packet going each way (because the attack basically means the attacker acts as a proxy for the server to the client and as a proxy for the client to the server). This is obviously a lot more work than dumping traffic onto a disk with some filtering for review later, which is already a rather daunting task with the amount of traffic on the internet.
That said, I agree: there should be some way to encrypt HTTP sessions with a self-signed cert (self-signed means that the user can know that they are accessing the same server they did las t time) and no warning: it just should not display the same lock icon because it does not offer the same level of security.
WINE support for games seems pretty good overall. If developers cared about Linux support they could probably compile against libwine and fix whatever problems occured, but that involves a lot of extra effort to test and support it.
Both methods are intended to protect passwords, not sessions. Assuming MD5 is sufficiently secure - which it is believed to be for this purpose despite some attacks on it because both methods use a challenge string which is somehow concatenated with the password - someone reading the traffic would be unable to get the user's password and therefore unable to login as them.
On the other hand, the LJ method does not prevent session hijacking by reading the traffic, copying the cookie, and using it before the user logs off or their session expires. LJ does have an optional security measure to allow access from only your own IP, but if an attacker is already reading your traffic, they are probably also on the same network as you so they could send packets as from your IP.
Digest auth goes a bit further and authenticates on every request with the request URI as part of the hash, so an attacker could change submitted POST data or pages sent to the client in attempt to hijack the session, but could not simply steal it and browse any page. That is, the attacker has to be actively changing the communication between the client and server to even hijack a session while with LJ's auth (and in general most auth on unencrypted websites) they only need to read the cookies.
Both methods make no attempt to hide the content of the website or information sent to the website; that's what HTTPS is for. They only make it nearly impossible to steal passwords and make it difficult to hijack another user's session.
Some sites already do this, although not with RSA, but with MD5 or some other cryptographic hash, of which there exist JavaScript implementations which are plenty fast. See the LiveJournal login page. There is also HTTP digest authentication, but that requires browser support and users are used to typing their user/pass into an HTTP form, not using HTTP auth.
Ah, thank you.
Did Firefox 3 add multiple dictionary support to the spell checker? Could you please be more specific as to where I could find it?
As others have said, Firefox using less RAM means you have more left over for other programs. Also, "unused" RAM is used for caching files from the hard drive, so your computer has less need to actually access the hard drive.
This does not explain why Opera uses so much less memory under the same usage. Then again, I have not had a chance to compare against FireFox 3 yet.
As I understand modern encryption, it adds overhead to creating the connection because encryption keys have to be shared before encrypted data can be sent, but the actual encryption is done with a cipher such that it takes up the same amount of space encrypted as decrypted, so it does not cause a size overhead on the main data transfer. Then again, if it changes keys often or is doing something else special, then maybe it would cause that much overhead.
Congratulations, you got Asimov's point. See my reply to the grandparent..
A lot of people seem to misunderstand Asimov's Laws of Robotics. They are not a suggestion for what laws real robots should follow. They are used to demonstrate that no simple set of rules could possibly make robots "safe". See the Wikipedia article, which mentions that.
The problem with making encryption simple is that, as far as I know, there is no way to make encryption easy without also making man-in-the-middle attacks easy or involving a certificates agency collecting money and verifying IDs. Users need to be somehow involved in key exchange in the current models.
A partial work-around is that instead of end-to-end encryption, use currently existing support for encrypting all of the links. Require clients to use the encrypted versions of the protocols to connect to the mail server. Have the mail servers communicate with each other using encrypted methods. It is not completely secure, but then in order to read an e-mail you would need access to one of the mail servers it passed through, which is a lot better than the current state of merely needing access to one of the routers it passes through.
I should tell my friend who recently installed Office 2003 with only minor difficulties to update AppDB then.
Needing MS Office is a bad reason to switch away from Linux. It runs quite well on wine.
Personally, I do not use either because latex covers almost everything I would use an Office suite for. In the rare occasion I need a spreadsheet, I use gnumeric because it works a lot better than OOo Calc. That said, Excel is a great piece of software. A good replacement for it would be quite a project.
As I understand it the "singularity" is specifically referring what happens to technology after the creation of the first strong AI. The singularity theorists believe that (1) strong AI is possible and (2) will happen within our lifetime and (3) the creation of strong AI will cause an explosion of technological advancement. I have seen comments disputing all three with various reasonable arguments (it sounds like you would focus on attacking (3)), but please understand what you are talking about before dismissing it as ridiculous.
I believe the problem with that is that every window needs access to the same cookies, etc. in case you have two windows accessing the same website. There are probably other difficulties as well.
I agree with the sibling poster: links is good if you want a browser that acts like a GUI browser and is good with a mouse. I prefer lynx to links because if I am using a text-based browser, I usually want to control it with the keyboard, and I find lynx works better for that.
Yes, actually Slashdot has a learning algorithm where it uses the topic and thread to determine which word to use for the CAPTCHA and checks the post for references to the CAPTCHA to see if it guessed correctly. Eventually this will evolve into autotagging and the ability of Slashdot to respond to comments on its own followed shortly thereafter by the Slashdot webserver achieving sentience.