Remember, I said "in a world where people cared about security". Not running random code on the same computer you keep something as important as your private key is a part of that.;)
I'm setting myself up for a fall here, but I'm pretty secure that I'll never have a problem with phishers because a) I'm suspicious as hell, and b) there is fruit on the tree that's much lower hanging.
Coming soon to EU member states, unless *you* write to your MEPs and request that they attend (and vote against) the European Parliament's second reading of the computer-implemented invention laws.
In a world where people actually gave a damn about security, you and your bank would swap public keys when you opened an account (in person, at a physical branch).
Then it doesn't matter who initiates future communication, because all messages can be authenticated against the sender's public key.
"Perhaps e-banking would be more secure if the banking site had to show you proof of authenticity"
The SSL certificate that the bank's site presents to you when you connect is all the proof you need that your traffic is not being intercepted.
Unfortunatly, today's browsers hide the information about who the certificate was issued to away in a separate screen. IMO the subject of the certificate should be displayed in the status bar, where Firefox currently prints the hostname of the displayed site (needlessly, since that information is already in the address bar!)
But this isn't perfect. The certificate authorities treat the x509 dname as a unique block of text, rather than making sensible use of all the fields. Thus my bank presents a dname of "CN = www.ebank.hsbc.co.uk,OU = Terms of use at www.verisign.com/rpa (c)00,OU = Terms of use at www.verisign.com/rpa (c)00,O = HSBC Holdings plc,L = Sheffield,ST = South Yorkshire,C = GB".
IMHO our current CAs have buggered up the job, and deserve a good slapping. Instead of allowing a random company to buy its way into the CA market by paying off Netscape and Microsoft, we should ditch the present model for high-risk uses such as online banking.
Banks should issue their own (self-signed) certificates. When you open a bank account, you are supplied with the SHA1 and MD5 hashes of the certificate that the bank uses; the first time you visit the bank's web site, your browser throws up the "unidentified certificate" warning. You then eyeball the certificate, note that the hashes match those you have been provided with, and import the certificate into a store for future use.
The annoying thing is that we could do this *today*, if only people would start giving two shits about their security.
Maybe after a few thousand people get ripped off by identity thieves, people will start caring.
Why is the user running with privileges that allow them to create raw sockets? Why wasn't this email dropped on delivery to their email server? Why does their email program allow them to execute attachments? Why isn't their internal network segregated so that traffic between two hosts that don't need to talk to each other (eg, two workstations) is dropped?
Serious answer: Firewalls are only one of many tools that you can use to reduce exposure.
Flippant answer: this hypothetical office of which you speak is none other than that of... Valve Software!
"So yes ports that you don't want people talking on should be closed but in the real world that is just not possible"
Correction: just not possible with Microsoft Windows.
I notice the guy who made that web page uses Windows. Does the implementation of free in Windows' libc release memory back to the OS?
Glibc's free will release memory back to the operating system under certain circumstances. Perhaps this is why users on Linux claim this problem doesn't exist for them.
FYI, if you create a.gtkrc-2.0 then GTK will look there after attempting to load settings from gnome-settings-daemon. A program like gtk-theme-switch2 will do this for you if you don't know how.
> Remove all deprecated libraries from the codebase of the Gnome core.
I believe that deprecated libraries tend to be replaced by stubs that backport the new functionality to the old API. Eg, the gnome_sound_play function currently sends a sound file to Esound; when (if) GStreamer becomes part of the platform, the function in libgnome will be replaced with code to do the same thing in GStreamer.
The old APIs can not be removed until the developers decide to make a new release backwards-incompatible--this will be Gnome 3.0 (http://live.gnome.org/ThreePointZero).
> Remove or replace subsystems which never really were useful
Most people I see using Gnome use GnomeVFS all the time. Being able to access files shared on the network without having to be root to mount them is really nice. Even nicer is the sftp virtual filesystem, used for accessing files over SSH's SFTP. If GnomeVFS is to be replaced by something else, it will be by freedesktop.org's D-VFS.
As for Bonobo: I believe panel applets use it all the time, and I don't think KParts can be a sensible replacement for it: Bonobo isn't just for GUI components. Since it is a Corba implementation, one can use out-of-process components with it, as well as components running accross the network. It's more like DCOM, whereas Kparts are analogous to ActiveX.
Furthermore, I don't see the Gnome developers starting to use C++ any time soon. Besides the matter of taste and familiarity, C++ has problems with ABI stability. It took an age for Debian to recompile every C++ program when GCC 3.2 came out; I believe one of the reasons GCC 3.4 won't be in Sarge is because it breaks ABI compatibility again.
> Make all demons optional
Sounds like you want to duplicate the code from the daemons and copy it into each application. This would only increase memory usage and the number of bugs, while decreasing functinality. The reason GConf is really, really good is because of the signals/notification system. I'm not sure one's desktop would run much faster if every program one used polled its config file for updates every second.
As for Esound, it will go away in the future if GStreamer becomes a part of the Gnome platform. This will be really nice when it happens, because the job of picking which sound server to use (esd/polyp/arts/jack/none), configuring it, etc will be left up to the distributor. But GStreamer has a fair bit of improvement to do before this can happen; and since removing Esound all together is backwards incompatible, it will have to wait for 3.0.
Does this mean that other, previously usable, networks will experience an influx of Kazaa-using idiots; resulting in a crapflood of corrupted/mislabelled/poorly tagged/shit quality files?:(
Thanks for the clarification. But if we're at 9, surely a second reading by the Parliament is guaranteed (in which case we will hopefully end up at 14 & 15). I thought that if the council passes the directive as an A-list item then it to be adopted by member countries without any further discussion (5 & 6).
Of course it's more likely that the chart is (deliberatly) misleading.
Great. Unfortunately the commissioner from the UK is Peter Mandelson. Twice sacked from his own government for corruption, he is seemingly impossible to get rid of. I don't know anything about his fellow commissioners; is it safe to assume that they are all held to the same standards of honesty and integrity by whatever body oversees appointments to the European Commission?
> If someone came up with a unique idea that is good and new, why should they not > capitalize on it?
You don't need to patent an invention to make money with it. If allowing patents in a field does more good than harm then it should be allowed.
But you forget the purpose of patents. They exist in order to give inventors an incentive to invent, by which the progress of science and technology is furthered.
But writing software is not like bringing a new drug to market, or creating new type of tunnel drilling machine. Any man and his dog can sit down with a language reference, a library reference and a compiler, and create software that can take on the big boys. But the average man can not afford to fend off patent lawsuits by the large corporations, who can afford to build up large patent warchests, and who have an interest in keeping other competitors out of "their" markets.
> And it is almost impossible for someone to scry and _predict_ > whether patents would be good or bad in each field - it would be very highly > relative.
So because something difficult we should just give up, and sign away our markets to large, established corporations?
A market without competition stagnates. Without an incentive to innovate, a monopolist will keep its prices high, and its markets stale. Why change what works, its directors think.
Do you think we'd even be having this discussion today if Intel succeded in keeping AMD from competing with it over all these years? We'd be lucky if we even had 486s next year, that cost $2500 per chip.
So Microsoft's case is thrown out. Doesn't fix the fact that I had to spend thousands to get this far. Oh, and I have 200 suits pending against me for violating their bullshit patents.
Everyone likes being a bitch. The vast majority of Europeans don't know: they think that they still have power over the laws that get handed down to them; and the majority of Americans don't seem to care.
Slashdot Mirror
Of course it can't set a precedent.
One party's choice not to pursue a violation of their copyright does not invalidate other copyrights.
It's up to the copyright holder whose intellectual property has been infringed to bring action upon MXS.
Your last paragraphs: more evidence that we should kill all the leaders on both sides? :)
Remember, I said "in a world where people cared about security". Not running random code on the same computer you keep something as important as your private key is a part of that. ;)
I'm setting myself up for a fall here, but I'm pretty secure that I'll never have a problem with phishers because a) I'm suspicious as hell, and b) there is fruit on the tree that's much lower hanging.
Coming soon to EU member states, unless *you* write to your MEPs and request that they attend (and vote against) the European Parliament's second reading of the computer-implemented invention laws.
In a world where people actually gave a damn about security, you and your bank would swap public keys when you opened an account (in person, at a physical branch).
Then it doesn't matter who initiates future communication, because all messages can be authenticated against the sender's public key.
"Perhaps e-banking would be more secure if the banking site had to show you proof of authenticity"
The SSL certificate that the bank's site presents to you when you connect is all the proof you need that your traffic is not being intercepted.
Unfortunatly, today's browsers hide the information about who the certificate was issued to away in a separate screen. IMO the subject of the certificate should be displayed in the status bar, where Firefox currently prints the hostname of the displayed site (needlessly, since that information is already in the address bar!)
But this isn't perfect. The certificate authorities treat the x509 dname as a unique block of text, rather than making sensible use of all the fields. Thus my bank presents a dname of "CN = www.ebank.hsbc.co.uk,OU = Terms of use at www.verisign.com/rpa (c)00,OU = Terms of use at www.verisign.com/rpa (c)00,O = HSBC Holdings plc,L = Sheffield,ST = South Yorkshire,C = GB".
IMHO our current CAs have buggered up the job, and deserve a good slapping. Instead of allowing a random company to buy its way into the CA market by paying off Netscape and Microsoft, we should ditch the present model for high-risk uses such as online banking.
Banks should issue their own (self-signed) certificates. When you open a bank account, you are supplied with the SHA1 and MD5 hashes of the certificate that the bank uses; the first time you visit the bank's web site, your browser throws up the "unidentified certificate" warning. You then eyeball the certificate, note that the hashes match those you have been provided with, and import the certificate into a store for future use.
The annoying thing is that we could do this *today*, if only people would start giving two shits about their security.
Maybe after a few thousand people get ripped off by identity thieves, people will start caring.
Post in HTML mode and do this. But don't do that! Google doesn't know what "this" is when it sees a hyperlink entitled such. Here's an article about why links entitled "click here" are a bad idea.
Why is the user running with privileges that allow them to create raw sockets?
Why wasn't this email dropped on delivery to their email server?
Why does their email program allow them to execute attachments?
Why isn't their internal network segregated so that traffic between two hosts that don't need to talk to each other (eg, two workstations) is dropped?
Serious answer: Firewalls are only one of many tools that you can use to reduce exposure.
Flippant answer: this hypothetical office of which you speak is none other than that of... Valve Software!
"So yes ports that you don't want people talking on should be closed but in the real world that is just not possible" Correction: just not possible with Microsoft Windows.
But this time it is legislation that is beneficial to large business interests. Therefore European government ministers will fawn all over it.
To reject/alter on a second reading the Parliament requires an absolute majority of 70%. Not going to happen. Start patenting now.
You can't escape from a directive. If you try then the countries that do implement the directive impose trade sanctions on you.
The EU is shit.
I notice the guy who made that web page uses Windows. Does the implementation of free in Windows' libc release memory back to the OS?
Glibc's free will release memory back to the operating system under certain circumstances. Perhaps this is why users on Linux claim this problem doesn't exist for them.
Bollocks. That should have been:
/<i>
Or you can use a decent editor. :p
/
In vim:
Or, click on a symbol and press *
FYI, if you create a .gtkrc-2.0 then GTK will look there after attempting to load settings from gnome-settings-daemon. A program like gtk-theme-switch2 will do this for you if you don't know how.
> Remove all deprecated libraries from the codebase of the Gnome core.
I believe that deprecated libraries tend to be replaced by stubs that backport the new functionality to the old API. Eg, the gnome_sound_play function currently sends a sound file to Esound; when (if) GStreamer becomes part of the platform, the function in libgnome will be replaced with code to do the same thing in GStreamer.
The old APIs can not be removed until the developers decide to make a new release backwards-incompatible--this will be Gnome 3.0 (http://live.gnome.org/ThreePointZero).
> Remove or replace subsystems which never really were useful
Most people I see using Gnome use GnomeVFS all the time. Being able to access files shared on the network without having to be root to mount them is really nice. Even nicer is the sftp virtual filesystem, used for accessing files over SSH's SFTP. If GnomeVFS is to be replaced by something else, it will be by freedesktop.org's D-VFS.
As for Bonobo: I believe panel applets use it all the time, and I don't think KParts can be a sensible replacement for it: Bonobo isn't just for GUI components. Since it is a Corba implementation, one can use out-of-process components with it, as well as components running accross the network. It's more like DCOM, whereas Kparts are analogous to ActiveX.
Furthermore, I don't see the Gnome developers starting to use C++ any time soon. Besides the matter of taste and familiarity, C++ has problems with ABI stability. It took an age for Debian to recompile every C++ program when GCC 3.2 came out; I believe one of the reasons GCC 3.4 won't be in Sarge is because it breaks ABI compatibility again.
> Make all demons optional
Sounds like you want to duplicate the code from the daemons and copy it into each application. This would only increase memory usage and the number of bugs, while decreasing functinality. The reason GConf is really, really good is because of the signals/notification system. I'm not sure one's desktop would run much faster if every program one used polled its config file for updates every second.
As for Esound, it will go away in the future if GStreamer becomes a part of the Gnome platform. This will be really nice when it happens, because the job of picking which sound server to use (esd/polyp/arts/jack/none), configuring it, etc will be left up to the distributor. But GStreamer has a fair bit of improvement to do before this can happen; and since removing Esound all together is backwards incompatible, it will have to wait for 3.0.
Does this mean that other, previously usable, networks will experience an influx of Kazaa-using idiots; resulting in a crapflood of corrupted/mislabelled/poorly tagged/shit quality files? :(
Thanks for the clarification. But if we're at 9, surely a second reading by the Parliament is guaranteed (in which case we will hopefully end up at 14 & 15). I thought that if the council passes the directive as an A-list item then it to be adopted by member countries without any further discussion (5 & 6).
Of course it's more likely that the chart is (deliberatly) misleading.
Great. Unfortunately the commissioner from the UK is Peter Mandelson. Twice sacked from his own government for corruption, he is seemingly impossible to get rid of. I don't know anything about his fellow commissioners; is it safe to assume that they are all held to the same standards of honesty and integrity by whatever body oversees appointments to the European Commission?
The license states, "for the sole purposes of developing Products that output SWF".
Furthermore,
> If someone came up with a unique idea that is good and new, why should they not
> capitalize on it?
You don't need to patent an invention to make money with it. If allowing patents in a field does more good than harm then it should be allowed.
But you forget the purpose of patents. They exist in order to give inventors an incentive to invent, by which the progress of science and technology is furthered.
But writing software is not like bringing a new drug to market, or creating new type of tunnel drilling machine. Any man and his dog can sit down with a language reference, a library reference and a compiler, and create software that can take on the big boys. But the average man can not afford to fend off patent lawsuits by the large corporations, who can afford to build up large patent warchests, and who have an interest in keeping other competitors out of "their" markets.
> And it is almost impossible for someone to scry and _predict_
> whether patents would be good or bad in each field - it would be very highly
> relative.
So because something difficult we should just give up, and sign away our markets to large, established corporations?
A market without competition stagnates. Without an incentive to innovate, a monopolist will keep its prices high, and its markets stale. Why change what works, its directors think.
Do you think we'd even be having this discussion today if Intel succeded in keeping AMD from competing with it over all these years? We'd be lucky if we even had 486s next year, that cost $2500 per chip.
So Microsoft's case is thrown out. Doesn't fix the fact that I had to spend thousands to get this far. Oh, and I have 200 suits pending against me for violating their bullshit patents.
Everyone likes being a bitch. The vast majority of Europeans don't know: they think that they still have power over the laws that get handed down to them; and the majority of Americans don't seem to care.