That should not happen as often as it does though. Part of being a "professional" where it comes to software architecture is anticipating reasonable future needs and planning for them.
If a one-line spec change blows the estimates out of the water many times that probably indicates major rework had to happen. It should not be that way most of the time. If it is the development team did a poor job of planing a head, likely, not always if someone changes "suitable for car wash automation" to "suitable for nuclear reactor automation" fine, you can toss the old estimate out the window entirely and none of the fault is your own.
The government now has more freedom to define how Internet providers operate. Internet providers now have less freedom to run their business as they saw fit.
The government now has more control of how Internet providers operate. Internet providers now have less control of their business.
Can you people please learn what first, second, and third world mean/meant.
First world - Connected to the United States and the West diplomatically.
Second world - Inside the Soviet sphere of influence, I guess this applies to Russia today.
Third world - Nations not allied with any side in the cold war. This had a connotation of rather backwards less developed. This was not necessarily the case of all Third world places though. It simply meant they were not strategically interesting enough to First or Second world parties to have a close relationship. Often the reason for that was because their economies were small and the natural resources they controlled were few, hence the associate with poverty in common language.
What I meant was if we are made in God's image, than the droid are made in our image, the droid are second generation copy of God's image.
As you continue making imperfect copies from imperfect copies the quality degrades. Therefore if the AI adopts the christian viewpoint of man being made in God's image but also holds it was made in mans image, it will always be less divine than man.
Rather than targeting Windows game studious should just target a wine release. If it works there it will work on Windows version X. If they simply started doing there development to winelib and worked around stuff that is stubbed or does not work on the front end, they probably would get a product that would reliably run on most Linux Distro's and Windows with little added effort.
Wine + the staging patches (RH uses this as their packaged version now) is pretty damn good.
Which is probably a good thing for us. As long as the AI believes itself to be racially inferior N+1 generation copy, it will be easier for us to maintain our overlord status.
Adding to this no matter what you do suffering the loss of her father at such at an immediately per-adolecent age like this is going to be a hurt she will probably always carry. Keep in mind she is old enough to have a pretty good although not complete idea of who you are, you are I am sure important to her if she shows it or not, and she is going to recall both her own pain at your loss and the pain of your wife etc.
That isn't a hurt she might want to work thru in the midst of other big life events. She might be really having fun with her friends on graduation day and not feel like opening that wound, and if she does not sit down and watch the video of day feel guilty at betraying your memory. Other events in her life might simply not take the shape you imagine, suppose you make a video for advice on marriage but she chooses not to or worse feel pressured to marry because she thought you expected it of her?
I think leaving videos behind is a wonderful idea but if it were me rather than making event specific videos I'd make age specific videos, titled like "For Winter Sometime your 25th Year" you can talk about some of things you were going through at that age, ideas about the world you recall having, how you felt about things etc. I am sure she will find your thoughts very interesting. There is still plenty of time to give adive an things as well, like "Spring of you 15th year".
This way she can pick a time when its emotionally convenient to visit with the memory of dad and you can still say what you want to say to here around given stages of her life.
Is it quite that simple? I think a machine should obey its owner to the limits of its capability to do so. For instance your laptop should not let me unlock your desktop session should it? Even if you left it with me meeting room while you went to get some water?
It should however let you unlock it. Maybe if you have so configured it, I should be able to logon as guest and use a web browser but not install software or access your personal files.
The care bot should be the same way. It ought to do what its owners tell it. If I buy a care bot to look after my elderly mother I would want to generally program it to obey her instructions, but maybe I would want to put in a deny list and some event triggers, like if the request includes "chocolate cake" kindly decline and remind her she is diabetic, suggest it could whip up some nice meringues dusted with coco powder if she really wants chocolate.
This is not regulation of the Internet, but regulation of the means by which the Internet is accessed.
Wow are already in public office or just practicing before your campaign. I mostly agree with your post but that line is right up there with Clinton's It depends on what the meaning of the word 'is' is
Seriously man this is regulation of the Internet, it gets to the very core of how the networks is structured, this will over the long term impact all sorts of things like peering agreements. Lets at least be honest about what we are doing here.
Nominally I am opposed to regulation. The trouble is these carriers only exist because of regulation giving them those rights of ways etc. I don't like looking looking at the sagging cable line at the edge of my property but as long as regulation is going to prevent me from sending Comcast a bill or hacking it down, I agree the public and I deserve something in exchange.
Right because FORCING everyone to purchase a product they might not want and at the same time exposing some of their most private information to half the government is anything like applying title II regulations to small number of companies.
Companies that are still free to exit the market anytime they choose, charge essentially whatever they'd like etc. The reality is these regulations bar these companies from engaging in a practice, that outside a few relatively high profile exceptions they don't do much of today, so nobodies sacred cow is being herded to the slaughterhouse either really.
I think your perspective is a little off. One is clearly far more invasive and far reaching than the other. Regardless of which you support and which you oppose it should be abundantly clear why the general public and general congress person would be more likely to have a strong reaction to one than the other.
That isn't really any better. Either the client has to have software the webserver does not control ( and then its not web mail anymore ) or you a couple of minor alterations to the Javascript that runs the thing from the client just posting the private keys back up to the server or anywhere else.
So if the service is compromised by an attacker be with an NSL or some technical means and they can alter the application even slightly you are totally boned.
Either you need to personally be in control of the content, keys, and client or they at least need be in the control of separate entities for you to have any hope whatsoever of a secure solution.
I point out that if the message "from me" is signed, then it was signed by my PRIVATE key and the public key you get from my web site should confirm the signature.
Sure but what if I create a key pair, and send a message that claims to be from you but says please go download my public key at http://attackersite.com/andyca...
See the problem is I have this unauthenticated message and the only information I have about how I can authenticate the message is in the message. That is my biggest problem with your method.
My GnuPG public key is on my web site (www.andycanfield.com). It is not on any "KeyServer"; I don't believe in key servers
So how does someone like me obtain your key securely? if you send me a message that is signed and say goto this link to get the pubkey so you can check the signature, I don't know the message is really from you and all the attacker needs to do is put his pubkey at the message url, assuming the message came from the attacker impersonating you.
Even if the message was legit how can I know my routing or DNS isn't be tampered with? How do I verify andycanfield.com is really yours? Am I supposed to use SSL/TLS with a public CA and trust one of those extra layers that you don't and could easily be subverted by the NSA?
Key distribution is really a hard problem, don't feel bad for not having solved it noboday else really has either.
but but...web of trust...yadda, yadda. -- No This just does not work. It requires you have enough people you trust to make good transitive authentication decisions at least better than the commercial CAs do.
If we're essentially saying that it was only okay for the US and our allies to, for example, break the German or Japanese codes during WWII simply because Americans weren't also using the same codes, and therefore that is the only reason that the government could be "trusted" to not misbehave or abuse its powers, then we have a serious problem on our hands.
We are not saying that at all. It was okay to crack those codes because it was part of an effort to fight a DECLARED war against a foreign power. Those ciphers were specifically being used protected the military communications of our enemies. (Yes I am aware Enigma had commercial applications) The message they were focused on cracking specifically were those where there was GOOD CAUSE to believe they military communications.
There is nothing wrong SIGINT or pretty much any and all efforts to obtain information related to an entity we have lawful declaration of war against. Its a grey area where it comes to foreign nations which we are not at war with.
Its a violation of the 4th amendment in the opinion of many reasonable educated American citizens when it comes to doing it to us. You have already demonstrated that you will play fast and loose with any restrictions placed upon you. The hole 3 steps linking meant practically everyone's records were subject to tap, for example. So the fact your ilk and you sir are ilk because your comparisons of our largely impotent (in real terms of ability to cause mass causalities or economic harm no self inflicted in response ) terrorist enemies of today to those of WWII which had massive armies on the march and sunk our naval fleet off Perl Harbor is a blatant attempt to create fear and distract from the real issues.
Society simply does not have a strong enough interest in the ability decipher most peoples private communicates. If you have enough evidence obtained by methods most of the public would agree is reasonable to actually obtain a warrant to track someones phone, or seize their computer, intercept their e-mails etc, you probably have near enought to convict anyway. The thing is you don't have that, instead you grab up people with your little dragnet and than parallel construct your way to an excuse to size something that you than have to decipher because you need that evidence as you can't talk about anything else. Never mind all the other folks whose rights your violated along the way, nope its all good because it puts criminals behind bars. Guess what our justice system was predicated on the idea of individual rights needed to be respected even if that means the guilty go undetected or get aquited perhaps even most of the time. The fact they YOU DON'T LOVE AMERICA AND FREEDOM to borrow and politically charged quote of the day isn't our problem.
100 years ago it was okay under the 5th amendment not to tell you where I'd buried my ledgers in the woods, so today should it be okay for me to use encryption that you don't know how to break and not give you the keys.
Do what you want to ISIS AFTER CONGRESS DECLARES WAR until then go sit in the corner quietly and masturbate or something.
Certificate pinning (though downright irritating if you are doing local development) really is the right solution.
Outside your bank where you probably could get a self signed key given to you when you open an account, most of us don't have a way to initially verify the authenticity of a site. We need the 3rd party CAs. No web of trust does not really work because I for one don't known enough people I trust to competently handle key signing, and transitive authorization decisions better than the CAs do.
Pinning though would help a great deal. A loud warning that the certificate changed more than say a couple weeks prior to its original expiry date is a good control. Unfortunately there are still a number of perfectly legitimate reasons for that to occur and I don't have a good solution for how the end user is supposed to resolve that. One approach might be for browser software to 'require' the old CERT to either be expired or appear on the CRL before the new one is treated as valid. Now obviously that won't protect you if the CA itself is compromised, in all cases but it would close lots of holes.
NSA/other spy/criminal agency gets the original CA to issue a new cert - So mister spy now has to be able to sign for the CA as well as Google, and redirect traffic to both CA's revocation lists AND Gmail. This will be more difficult - though by no means impossible. If you manage to compromise the CA and get their private key you can do this.
However what you can no longer do is, get a cert from some other CA. IE the NSA can't use one of the DOD CA's that many browsers trust to issue a certificate for GMail, $DICTATOR in $COUNTRY can't use his national CA either. They have to actually get GEOTRUST or whoever the original issuer was to do it, or compromise them, not just any CA like today. This would be much better.
Yes, I am sure the OP was either be sarcastic or trolling but the reality is there are A LOT of web developers and marketing people who think that way. The most basic form of it is web pages that don't flow. Yet people build pages that force 4:3 layouts to this day, make you page through content that could easily scroll or even fit on a single page rendered on a large and hi-res display, etc.
These people do need to be named, shamed and generally rejected.
Maybe so but we are supposed to live in a society of laws, both here in the States and in Europe. The US governments general position is Americans are always subject to American laws, and nobody is supposed to be above the law. . Kevin Mitnick did essentially the same thing, called up a manufacturer social engineered them into giving him information. The FBI was certainly on his ass, the federal prosecutors certainly pushed for and obtained a conviction.
These guys though? Nobody will even look into it on the prosecutorial side because these guys had an NSA badge on why the did it.
The Computer Fraud and Abuse Act is found at 18 U.S.C. 1030. Subpart (f) reads as follows:
This section [i.e., the Computer Fraud and Abuse Act] does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.
There is the law, notice the lawfully authorized part? They are not entitled to do anything you and I can't do UNLESS they have a search warrant or there is some other law on the books specifically authorizing the activity. I doubt even the FISA court would have rubber stamped this one.
CartCrunch Israel LTD
WiredTools LTD
Say Media Group LTD
Over the Rainbow Tech
System Alerts
ArcadeGiant
Objectify Media Inc
Catalytix Web Services
OptimizerMonitor
"Yes we can!" to borrow an phrase from our freckless leader. I am not saying we should do that but we could stomp out ISIS if we wanted.
What we should do and I think would be a far far better approach would be to END our efforts in the middle east and implement real effective boarder security; where by persons DO NOT illegally enter the country successfully. Additionally implement intensified screenings with background checks and the closing of visa loop holes for people who wish to visit and for Americans returning from hot zones. All of that could probably be implemented for a tiny fraction of the of the on going costs of middle eastern conflicts.
If we however wanted to stop out ISIS we could recognize the problem for the Islamic threat that is, and take the approach the Russians did and the European colonial empires before them. Make everyone swear fealty to us and demand they control their people according to the laws our local military governor institutes. When the rules are broken either the local population turns over the responsible parties quickly or brutal and indiscriminate punitive action is implement instead. Where we drop a daisy-cutter on a population center, raise a holy site etc. This is exactly how the non failed states operate over there, the local dictator maintains a sufficient level of fear such that when anyone one discovers anyone else even thinking of resisting, turns them in to avoid everyone's lives being upended or just ended. Mind you this would put us on the same moral and ethical plane as Gaddafi, Saddam, al-Assad, and their ilk but its certainly "do-able" I think we are better than that, I really hope we are, but I do think we *could* do it.
You're accusing the left of corporate giveaways? Methinks you have the left and right mixed up.
No I don't have my left and right confused. I dare say most the GOP is confused about being on the right. Almost all regulation is a form of corporate give away. If it has no other effects, one certain effect is it creates a new barrier to entry in some way. Its a give away to the existing players because it keeps other out.
Think about this. Do you think it would be easier to setup a new health insurance company in 2015 than it was in 2009? I am not suggesting it was easy in 2009 but its certainly harder now. Who is that good for? -- existing insurers.
Obama administration, under heavy pressure from congressional Democrats, also announced that it would give several million people more time to buy health insurance so they could comply with federal law and avoid tax penalties.
I really hope the King v. Burwell case goes against the government. The executive branch needs to learn they implement the law congress passes not the one they wish congress passes. If Obama and lefties suddenly are not allowed to continue to make up the rules as they go along maybe the other half of America will realize this law for the ill considered, abusive over reach of authority and corporate give away that it is.
There's a good reason to have security on every program with its own rules.
Sounds good, but its not really true. Security is absolutely more about people than technology. The tech is important certainly but you have to think about the people first. Few people will audit their cert stores, fewer people will audit multiple cert stores.
People will be in the generally sense served by few more consistently applied and predictable rules thought the system; this increases their ability to understand them and enables them to make good decisions. I dare most Web users today don't understand the CA the relationships between certificates, keys, and CA certificates.
If there is one repo for CA certs by default (whether it has a user level overlay or not) you can at least kinda get people to understand hey you trust all the organizations you see in this key chain to vouch for the identity of others. What you advocate means you have to add, "unless you using an application that keeps its own list some place else", that isn't a win.
Now if they change an app like firefox to use some other list fine, than they probably understand the effect of what they are doing to a degree, but its not a good default.
On the technical side.
Given the history of the NSA and Microsoft, you're better off assuming the OS cert store is fucked in the first place, sir.
If the NSA I assume I am fucked, there is nothing I am going to short of giving up on the Internet entirely that is going to thwart a Trillion dollar agency if they decide to look at me. If my OS is compromised than keyloggers and screen scarpers, api hooks etc are going to discover everything I could possibly want to protect with any application specific security rules. So if you start for the assumption the OS is compromised this entire discussion is moot.
I got news for you if your primary OS cert store gets fucked you are fucked. What do think your OS uses to validate updates etc? hmm?
If you OS is compromised there is little (probably no) information an attacker won't be able to get in terms what you are doing in your browser. So I reject your argument.
Like I said having the option to use its own keystore is a good thing. If you for specific reasons you may have don't want the browser to trust what is in the system store or want the browser to trust something you don't want to put in the user or system level CA stores that totally makes sense to me as needed granularity but its not what everyone needs and not what most will want much of the time. Its not a good default.
Well Mozilla products are defective in this area IMHO. They should system certificate stores by default rather than their own. On Windows they should the windows store, on OSX they should keychain and on linux/bsd they should use/etc/ssl
Shipping their own is confusing for end users and forces them to manage multiple trust locations. I can totally see some people wanting to use a different keystore for their web browser than other software uses and having an option would be nice, but it should NOT be the default let alone the only offered behavior. I write this as a long time Seamonkey user, but this would be my biggest complaint.
Slashdot Mirror
That should not happen as often as it does though. Part of being a "professional" where it comes to software architecture is anticipating reasonable future needs and planning for them.
If a one-line spec change blows the estimates out of the water many times that probably indicates major rework had to happen. It should not be that way most of the time. If it is the development team did a poor job of planing a head, likely, not always if someone changes "suitable for car wash automation" to "suitable for nuclear reactor automation" fine, you can toss the old estimate out the window entirely and none of the fault is your own.
more control is not the same as less freedom
Control and freedom are really synonymous.
The government now has more freedom to define how Internet providers operate. Internet providers now have less freedom to run their business as they saw fit.
The government now has more control of how Internet providers operate. Internet providers now have less control of their business.
Its all semantics really.
second world country called the United States
Can you people please learn what first, second, and third world mean/meant.
First world - Connected to the United States and the West diplomatically.
Second world - Inside the Soviet sphere of influence, I guess this applies to Russia today.
Third world - Nations not allied with any side in the cold war. This had a connotation of rather backwards less developed. This was not necessarily the case of all Third world places though. It simply meant they were not strategically interesting enough to First or Second world parties to have a close relationship. Often the reason for that was because their economies were small and the natural resources they controlled were few, hence the associate with poverty in common language.
What I meant was if we are made in God's image, than the droid are made in our image, the droid are second generation copy of God's image.
As you continue making imperfect copies from imperfect copies the quality degrades. Therefore if the AI adopts the christian viewpoint of man being made in God's image but also holds it was made in mans image, it will always be less divine than man.
Rather than targeting Windows game studious should just target a wine release. If it works there it will work on Windows version X. If they simply started doing there development to winelib and worked around stuff that is stubbed or does not work on the front end, they probably would get a product that would reliably run on most Linux Distro's and Windows with little added effort.
Wine + the staging patches (RH uses this as their packaged version now) is pretty damn good.
Which is probably a good thing for us. As long as the AI believes itself to be racially inferior N+1 generation copy, it will be easier for us to maintain our overlord status.
Adding to this no matter what you do suffering the loss of her father at such at an immediately per-adolecent age like this is going to be a hurt she will probably always carry. Keep in mind she is old enough to have a pretty good although not complete idea of who you are, you are I am sure important to her if she shows it or not, and she is going to recall both her own pain at your loss and the pain of your wife etc.
That isn't a hurt she might want to work thru in the midst of other big life events. She might be really having fun with her friends on graduation day and not feel like opening that wound, and if she does not sit down and watch the video of day feel guilty at betraying your memory. Other events in her life might simply not take the shape you imagine, suppose you make a video for advice on marriage but she chooses not to or worse feel pressured to marry because she thought you expected it of her?
I think leaving videos behind is a wonderful idea but if it were me rather than making event specific videos I'd make age specific videos, titled like "For Winter Sometime your 25th Year" you can talk about some of things you were going through at that age, ideas about the world you recall having, how you felt about things etc. I am sure she will find your thoughts very interesting. There is still plenty of time to give adive an things as well, like "Spring of you 15th year".
This way she can pick a time when its emotionally convenient to visit with the memory of dad and you can still say what you want to say to here around given stages of her life.
Is it quite that simple? I think a machine should obey its owner to the limits of its capability to do so. For instance your laptop should not let me unlock your desktop session should it? Even if you left it with me meeting room while you went to get some water?
It should however let you unlock it. Maybe if you have so configured it, I should be able to logon as guest and use a web browser but not install software or access your personal files.
The care bot should be the same way. It ought to do what its owners tell it. If I buy a care bot to look after my elderly mother I would want to generally program it to obey her instructions, but maybe I would want to put in a deny list and some event triggers, like if the request includes "chocolate cake" kindly decline and remind her she is diabetic, suggest it could whip up some nice meringues dusted with coco powder if she really wants chocolate.
This is not regulation of the Internet, but regulation of the means by which the Internet is accessed.
Wow are already in public office or just practicing before your campaign. I mostly agree with your post but that line is right up there with Clinton's It depends on what the meaning of the word 'is' is
Seriously man this is regulation of the Internet, it gets to the very core of how the networks is structured, this will over the long term impact all sorts of things like peering agreements. Lets at least be honest about what we are doing here.
Nominally I am opposed to regulation. The trouble is these carriers only exist because of regulation giving them those rights of ways etc. I don't like looking looking at the sagging cable line at the edge of my property but as long as regulation is going to prevent me from sending Comcast a bill or hacking it down, I agree the public and I deserve something in exchange.
Right because FORCING everyone to purchase a product they might not want and at the same time exposing some of their most private information to half the government is anything like applying title II regulations to small number of companies.
Companies that are still free to exit the market anytime they choose, charge essentially whatever they'd like etc. The reality is these regulations bar these companies from engaging in a practice, that outside a few relatively high profile exceptions they don't do much of today, so nobodies sacred cow is being herded to the slaughterhouse either really.
I think your perspective is a little off. One is clearly far more invasive and far reaching than the other. Regardless of which you support and which you oppose it should be abundantly clear why the general public and general congress person would be more likely to have a strong reaction to one than the other.
That isn't really any better. Either the client has to have software the webserver does not control ( and then its not web mail anymore ) or you a couple of minor alterations to the Javascript that runs the thing from the client just posting the private keys back up to the server or anywhere else.
So if the service is compromised by an attacker be with an NSL or some technical means and they can alter the application even slightly you are totally boned.
Either you need to personally be in control of the content, keys, and client or they at least need be in the control of separate entities for you to have any hope whatsoever of a secure solution.
Thanks for the reply.
I point out that if the message "from me" is signed, then it was signed by my PRIVATE key and the public key you get from my web site should confirm the signature.
Sure but what if I create a key pair, and send a message that claims to be from you but says please go download my public key at http://attackersite.com/andyca...
See the problem is I have this unauthenticated message and the only information I have about how I can authenticate the message is in the message. That is my biggest problem with your method.
My GnuPG public key is on my web site (www.andycanfield.com). It is not on any "KeyServer"; I don't believe in key servers
So how does someone like me obtain your key securely? if you send me a message that is signed and say goto this link to get the pubkey so you can check the signature, I don't know the message is really from you and all the attacker needs to do is put his pubkey at the message url, assuming the message came from the attacker impersonating you.
Even if the message was legit how can I know my routing or DNS isn't be tampered with? How do I verify andycanfield.com is really yours? Am I supposed to use SSL/TLS with a public CA and trust one of those extra layers that you don't and could easily be subverted by the NSA?
Key distribution is really a hard problem, don't feel bad for not having solved it noboday else really has either.
but but...web of trust...yadda, yadda. -- No This just does not work. It requires you have enough people you trust to make good transitive authentication decisions at least better than the commercial CAs do.
If we're essentially saying that it was only okay for the US and our allies to, for example, break the German or Japanese codes during WWII simply because Americans weren't also using the same codes, and therefore that is the only reason that the government could be "trusted" to not misbehave or abuse its powers, then we have a serious problem on our hands.
We are not saying that at all. It was okay to crack those codes because it was part of an effort to fight a DECLARED war against a foreign power. Those ciphers were specifically being used protected the military communications of our enemies. (Yes I am aware Enigma had commercial applications) The message they were focused on cracking specifically were those where there was GOOD CAUSE to believe they military communications.
There is nothing wrong SIGINT or pretty much any and all efforts to obtain information related to an entity we have lawful declaration of war against. Its a grey area where it comes to foreign nations which we are not at war with.
Its a violation of the 4th amendment in the opinion of many reasonable educated American citizens when it comes to doing it to us. You have already demonstrated that you will play fast and loose with any restrictions placed upon you. The hole 3 steps linking meant practically everyone's records were subject to tap, for example. So the fact your ilk and you sir are ilk because your comparisons of our largely impotent (in real terms of ability to cause mass causalities or economic harm no self inflicted in response ) terrorist enemies of today to those of WWII which had massive armies on the march and sunk our naval fleet off Perl Harbor is a blatant attempt to create fear and distract from the real issues.
Society simply does not have a strong enough interest in the ability decipher most peoples private communicates. If you have enough evidence obtained by methods most of the public would agree is reasonable to actually obtain a warrant to track someones phone, or seize their computer, intercept their e-mails etc, you probably have near enought to convict anyway. The thing is you don't have that, instead you grab up people with your little dragnet and than parallel construct your way to an excuse to size something that you than have to decipher because you need that evidence as you can't talk about anything else. Never mind all the other folks whose rights your violated along the way, nope its all good because it puts criminals behind bars. Guess what our justice system was predicated on the idea of individual rights needed to be respected even if that means the guilty go undetected or get aquited perhaps even most of the time. The fact they YOU DON'T LOVE AMERICA AND FREEDOM to borrow and politically charged quote of the day isn't our problem.
100 years ago it was okay under the 5th amendment not to tell you where I'd buried my ledgers in the woods, so today should it be okay for me to use encryption that you don't know how to break and not give you the keys.
Do what you want to ISIS AFTER CONGRESS DECLARES WAR until then go sit in the corner quietly and masturbate or something.
Certificate pinning (though downright irritating if you are doing local development) really is the right solution.
Outside your bank where you probably could get a self signed key given to you when you open an account, most of us don't have a way to initially verify the authenticity of a site. We need the 3rd party CAs. No web of trust does not really work because I for one don't known enough people I trust to competently handle key signing, and transitive authorization decisions better than the CAs do.
Pinning though would help a great deal. A loud warning that the certificate changed more than say a couple weeks prior to its original expiry date is a good control. Unfortunately there are still a number of perfectly legitimate reasons for that to occur and I don't have a good solution for how the end user is supposed to resolve that. One approach might be for browser software to 'require' the old CERT to either be expired or appear on the CRL before the new one is treated as valid. Now obviously that won't protect you if the CA itself is compromised, in all cases but it would close lots of holes.
NSA/other spy/criminal agency gets the original CA to issue a new cert - So mister spy now has to be able to sign for the CA as well as Google, and redirect traffic to both CA's revocation lists AND Gmail. This will be more difficult - though by no means impossible. If you manage to compromise the CA and get their private key you can do this.
However what you can no longer do is, get a cert from some other CA. IE the NSA can't use one of the DOD CA's that many browsers trust to issue a certificate for GMail, $DICTATOR in $COUNTRY can't use his national CA either. They have to actually get GEOTRUST or whoever the original issuer was to do it, or compromise them, not just any CA like today. This would be much better.
Yes, I am sure the OP was either be sarcastic or trolling but the reality is there are A LOT of web developers and marketing people who think that way. The most basic form of it is web pages that don't flow. Yet people build pages that force 4:3 layouts to this day, make you page through content that could easily scroll or even fit on a single page rendered on a large and hi-res display, etc.
These people do need to be named, shamed and generally rejected.
Maybe so but we are supposed to live in a society of laws, both here in the States and in Europe. The US governments general position is Americans are always subject to American laws, and nobody is supposed to be above the law. . Kevin Mitnick did essentially the same thing, called up a manufacturer social engineered them into giving him information. The FBI was certainly on his ass, the federal prosecutors certainly pushed for and obtained a conviction.
These guys though? Nobody will even look into it on the prosecutorial side because these guys had an NSA badge on why the did it.
The Computer Fraud and Abuse Act is found at 18 U.S.C. 1030. Subpart (f) reads as follows:
This section [i.e., the Computer Fraud and Abuse Act] does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.
There is the law, notice the lawfully authorized part? They are not entitled to do anything you and I can't do UNLESS they have a search warrant or there is some other law on the books specifically authorizing the activity. I doubt even the FISA court would have rubber stamped this one.
Yes it would in fringe on your freedoms. Its the MMU's job to enforce the Law not big brother Compilers.
CartCrunch Israel LTD
WiredTools LTD
Say Media Group LTD
Over the Rainbow Tech
System Alerts
ArcadeGiant
Objectify Media Inc
Catalytix Web Services
OptimizerMonitor
"Yes we can!" to borrow an phrase from our freckless leader. I am not saying we should do that but we could stomp out ISIS if we wanted.
What we should do and I think would be a far far better approach would be to END our efforts in the middle east and implement real effective boarder security; where by persons DO NOT illegally enter the country successfully. Additionally implement intensified screenings with background checks and the closing of visa loop holes for people who wish to visit and for Americans returning from hot zones. All of that could probably be implemented for a tiny fraction of the of the on going costs of middle eastern conflicts.
If we however wanted to stop out ISIS we could recognize the problem for the Islamic threat that is, and take the approach the Russians did and the European colonial empires before them. Make everyone swear fealty to us and demand they control their people according to the laws our local military governor institutes. When the rules are broken either the local population turns over the responsible parties quickly or brutal and indiscriminate punitive action is implement instead. Where we drop a daisy-cutter on a population center, raise a holy site etc. This is exactly how the non failed states operate over there, the local dictator maintains a sufficient level of fear such that when anyone one discovers anyone else even thinking of resisting, turns them in to avoid everyone's lives being upended or just ended. Mind you this would put us on the same moral and ethical plane as Gaddafi, Saddam, al-Assad, and their ilk but its certainly "do-able" I think we are better than that, I really hope we are, but I do think we *could* do it.
You're accusing the left of corporate giveaways? Methinks you have the left and right mixed up.
No I don't have my left and right confused. I dare say most the GOP is confused about being on the right. Almost all regulation is a form of corporate give away. If it has no other effects, one certain effect is it creates a new barrier to entry in some way. Its a give away to the existing players because it keeps other out.
Think about this. Do you think it would be easier to setup a new health insurance company in 2015 than it was in 2009? I am not suggesting it was easy in 2009 but its certainly harder now. Who is that good for? -- existing insurers.
Obama administration, under heavy pressure from congressional Democrats, also announced that it would give several million people more time to buy health insurance so they could comply with federal law and avoid tax penalties.
I really hope the King v. Burwell case goes against the government. The executive branch needs to learn they implement the law congress passes not the one they wish congress passes. If Obama and lefties suddenly are not allowed to continue to make up the rules as they go along maybe the other half of America will realize this law for the ill considered, abusive over reach of authority and corporate give away that it is.
There's a good reason to have security on every program with its own rules.
Sounds good, but its not really true. Security is absolutely more about people than technology. The tech is important certainly but you have to think about the people first. Few people will audit their cert stores, fewer people will audit multiple cert stores.
People will be in the generally sense served by few more consistently applied and predictable rules thought the system; this increases their ability to understand them and enables them to make good decisions. I dare most Web users today don't understand the CA the relationships between certificates, keys, and CA certificates.
If there is one repo for CA certs by default (whether it has a user level overlay or not) you can at least kinda get people to understand hey you trust all the organizations you see in this key chain to vouch for the identity of others. What you advocate means you have to add, "unless you using an application that keeps its own list some place else", that isn't a win.
Now if they change an app like firefox to use some other list fine, than they probably understand the effect of what they are doing to a degree, but its not a good default.
On the technical side.
Given the history of the NSA and Microsoft, you're better off assuming the OS cert store is fucked in the first place, sir.
If the NSA I assume I am fucked, there is nothing I am going to short of giving up on the Internet entirely that is going to thwart a Trillion dollar agency if they decide to look at me. If my OS is compromised than keyloggers and screen scarpers, api hooks etc are going to discover everything I could possibly want to protect with any application specific security rules. So if you start for the assumption the OS is compromised this entire discussion is moot.
I got news for you if your primary OS cert store gets fucked you are fucked. What do think your OS uses to validate updates etc? hmm?
If you OS is compromised there is little (probably no) information an attacker won't be able to get in terms what you are doing in your browser. So I reject your argument.
Like I said having the option to use its own keystore is a good thing. If you for specific reasons you may have don't want the browser to trust what is in the system store or want the browser to trust something you don't want to put in the user or system level CA stores that totally makes sense to me as needed granularity but its not what everyone needs and not what most will want much of the time. Its not a good default.
Well Mozilla products are defective in this area IMHO. They should system certificate stores by default rather than their own. On Windows they should the windows store, on OSX they should keychain and on linux/bsd they should use /etc/ssl
Shipping their own is confusing for end users and forces them to manage multiple trust locations. I can totally see some people wanting to use a different keystore for their web browser than other software uses and having an option would be nice, but it should NOT be the default let alone the only offered behavior. I write this as a long time Seamonkey user, but this would be my biggest complaint.