Personally, I don't give France a bad rap at all (unless it has got something to do with their previous nuclear decisions).
I'm just saying that suggesting that BSI, a company that is credited for giving out Common Criteria certifications, is involved in counter-espionage requires at least some indication of guilt on their part.
And they would be doing this by deliberating slipping through a bad implementation made by a (largely) French company - for their next door neighbor Luxembourg no less? And then they are going to listen in to the connections of the citizens just to do - well what exactly?
I'm in no doubt that this is physically possible, but it scores pretty high on my bull-shit-o-meter.
SSL certificates only provide the ability to encrypt communication between a browser and a server. That's all it's for.
No they are not. They are for providing authentication. You would not need any certificates to encrypt communications. Of course, you can then do a man in the middle attack, but you can only get around that by authentication anyway.
Alas, many people have have tried to build in some level of 'trust' to SSL as well, and the money racket that has grown up around issuing SSL certificates on an ad-hoc basis just so someone's browser doesn't complain needs to go the journey.
This has indeed be identified. There are a couple of things with that. 1) SSL certificates are, normally, just issued to the owner of the site. That already provides some security. 2) you can get certificates that provide more trust nowadays.
Those root certificates in your browser are just money for old rope. We definitely need something better.
I'm not so sure that the current SSL certificate scheme could not be fixed. Just saying we need something better does not fix anything.
People could e.g. vote for SSL certificates for a specific site (same as PGP uses certificates signed by many persons to create trust). Another idea is to very clearly notify the user when a previously unused root certificate is used (I'll get suspicious when a banking site suddenly uses the [insert suspicious country of choice] certificate for its root. An option to display changeover of server certificates may also be a good idea.
Especially if you try and trick users on a large scale, it only takes one person to alert the authorities that something is amiss.
"And the BSI [www.bsi.de] institute (which "certified" the cards) "overlooked" this weakness, because the Germans too have a vested interested in spying on communications with Luxembourgish banks. DOUBLE FAIL."
That's a pretty serious accusation - personally I would put this strictly in the "paranoid scheming" box unless you've got anything to back up that claim.
The entire purpose of online banking is to allow its subscribers to conduct their usual transactions in a way that integrates with their daily workflow. This runs completely against that goal, since the customer would have to reboot their computer (which is an impractical solution in some situations and an impossible one in others) just to check their balances. Completely unacceptable.
Ok, you should certainly be modded up for that comment. I cannot see this work for my normal bank transactions. I *can* see this work for special bank transactions where security is really required, like accessing an account with large amounts of money, changing the way it is invested etc.. It would be an in between of handing out / buying a special device for that reason.
Well, I would post a howto here, were it not for the fact that I did not really do anything. It might be that you are suffering from a little to few credentials to add a USB network interface or modem driver (I don't even know which one, although I could find out) in your Linux distro.
"OK, so this phone has more jam then my wife's and I's two celeron laptops, and is just about as powerful as my Sempron desktop. Why have a computer?"
Full sized keyboard and monitor? 3D graphics card? The idea that you can receive messages while doing something different with your computer?
If it supports 1920x1080 of course, you could simply buy a HDTV, a BlueTooth keyboard and use Google docs (for mundane tasks). So you could do a lot of things without buying a PC.
Flash probably won't work correctly because it never does, unless you use Windows XP or higher.
With the HTC Hero you can use the vibrate function to see if you hit a key. It's very useful, even though it lags just ever so slightly - I think they fix that in Android 2.1. The good thing about the touch screen input it that it is VERY easy to use with a single hand, holding it with the other. It's amazing how much more sense that makes - I did not expect it to matter at all when I bought the device. Basically I think the touch screen input is better, even though it is somewhat slower. The fact that you can adapt the keyboard for different inputs is a brilliant idea as well - never having to look for the @ key while typing email addresses helps tremendously.
I've got a HTC Hero with capacitive screen (as this one will have) and it is very nice to type short messages on, especially when the automatic correction can be used (e.g. internet URL's, mail addresses and CLI are a bit harder). I imagine that with a much larger screen the keyboard will be even better. You can use the trackball to precisely position the cursor. The only thing is that there is only a single, expensive stylus you can buy, and I don't see how you can use that for pixel precise input.
Tethering on the HTC Hero is completely painless if you could get rid of the limitation. It's funny, I just bought the device and my ADSL went down. Enabled tethering in the settings menu and coupled it to my Linux host using USB, expecting a few hours of fun. Literally seconds later my internet connection was established.
Now for Bluetooth tethering in 2.1, my ThinkPad is BT 2.1 enabled, so that would be great during trips - although it will drain the battery just a tad more.
The thing that *is* really painful is that my XS4ALL provider also provides WiFi hotspots, which the android phone can use without any trouble. The problem with that is that KPN, the provider of the hotspots, requires a login through HTTP redirects. This means that if I use WiFi autoconnect, all the applications stop or even crash since their packets are routed into a black hole.
Why aren't there phones where you can change the battery without loosing the connections/OS? With the current battery prices I would love to take a few charged batteries on holidays.
At least my HTC Hero will accept the bigger battery. It seems that the HTC legent uses a battery "slot" instead. That design choice will probably limit the choice of battery to use - it certainly won't fit the 3000 AH battery I just bought.
(I was about to write 3K mAH, but that's just weird)
All the current phones use current if you use them continuously like a computer. But that goes for all battery powered devices - if you have an LCD color screen and a reasonably fast CPU, then the power requirements will be high.
If I use my android sparingly it will last a few days, which is - imho - ample, unless I am on vacation. And when I am on vacation I just connect the phone to my laptop or any other USB enabled device. In emergencies I could even bring my charger:)
Since I am a bit of a nerd in the sense that I am behind a computer a long time of the day, the idea that you only require a mini or micro USB cable to charge your phone is simply brilliant - the phone will be right where I want it while it is charging (*and* providing an internet connection / data sync to boot).
Very good points, we'll probably have to rely on the chipset to solve those problems - the trick is keeping the latency to a minimum.
I'm not so sure SATA is the way to go for addressing Flash (or hopefully, phase change memory) in the long haul. PCI already makes more sense, initially manufacturers could just emulate the SATA part in software or hardware if required - it's a bit tricky for boot-up using a standard BIOS though.
Where are the laptops that offer a (1.8" or smaller?) SSD and a big slow inexpensive rotating platter, that's what I want to know (and where can I get one?).
And if anyone wants to produce this idea I have for a generic drive cradle that plugs into that slimline SATA DVD drive, I've got some initial drawings for free:)
I don't understand. As long as you still treat it like a hard disk drive from within the OS and not just memory, why not use direct CPU addressing? I might be missing the point, so please enlighten me.
What's holding down the paperless Office? The answer is mainly: you. I've been working at my IT job for a few years. Almost if not all of my communication is by mail, phone or coffee machine. I normally do not read anything offline, and if I write anything down it's because I do the exercise to remember. Only top priority notes are kept, and they are directly typed into a document on the server.
I've recently had to host a meeting with 20 persons and I just used a laptop and a projector, The persons hosting the meeting before gave everybody a lot of paper (which 90 percent won't even read because they are not directly involved). I just gave them one double sided page so they could scribble some notes next to the items on the agenda.
I absolutely hate paper when I'm at work. Office documents need versions, need to be able to be pushed around, deleted and changed. You must be able to search through them quickly. Novels are much better in a book, but at work, I'll would prefer digital versions every time (even though paper even there certainly has its advantages).
Of course I do have double screens at work, something every IT person should have - if only to minimize costs.
Looking from this comment, it's for the good of all that you did not perform a code review. You seem too much of a whiner, and even worse, someone that always wants to have his way.
I have been developing for years and years and although code simplicity is an important goal, it certainly isn't the only one. Having well designed interfaces between components is - for instance - something that really pays off during maintenance. Well defined (sometimes long) variable names allow you to write less comments (that don't keep up with the actual code in many cases).
That said, I think you've certainly got your head screwed on correctly, and you make many valid points. Having a wrapper for mundane tasks like base64 certainly is not a good idea. Wrappers in general should be used sparingly, because they are often less well thought out / tested than the code they try to wrap. And they add significantly to the maintenance if they are used from multiple components.
Now, the trick is to come of your high horse and come and help. There will be people out there with different opinions, and they will write imperfect code and do things in different ways. Personally I would never use non-managed code to write business applications, but here I am typing away in Firefox on Ubuntu. See the bad and the good.
(OK, I'm going back reviewing the JSR-310 Date Time API now, 3 pages of comments and counting - reviewers, we need you!)
Slashdot Mirror
Personally, I don't give France a bad rap at all (unless it has got something to do with their previous nuclear decisions).
I'm just saying that suggesting that BSI, a company that is credited for giving out Common Criteria certifications, is involved in counter-espionage requires at least some indication of guilt on their part.
And they would be doing this by deliberating slipping through a bad implementation made by a (largely) French company - for their next door neighbor Luxembourg no less? And then they are going to listen in to the connections of the citizens just to do - well what exactly?
I'm in no doubt that this is physically possible, but it scores pretty high on my bull-shit-o-meter.
SSL certificates only provide the ability to encrypt communication between a browser and a server. That's all it's for.
No they are not. They are for providing authentication. You would not need any certificates to encrypt communications. Of course, you can then do a man in the middle attack, but you can only get around that by authentication anyway.
Alas, many people have have tried to build in some level of 'trust' to SSL as well, and the money racket that has grown up around issuing SSL certificates on an ad-hoc basis just so someone's browser doesn't complain needs to go the journey.
This has indeed be identified. There are a couple of things with that. 1) SSL certificates are, normally, just issued to the owner of the site. That already provides some security. 2) you can get certificates that provide more trust nowadays.
Those root certificates in your browser are just money for old rope. We definitely need something better.
I'm not so sure that the current SSL certificate scheme could not be fixed. Just saying we need something better does not fix anything.
People could e.g. vote for SSL certificates for a specific site (same as PGP uses certificates signed by many persons to create trust). Another idea is to very clearly notify the user when a previously unused root certificate is used (I'll get suspicious when a banking site suddenly uses the [insert suspicious country of choice] certificate for its root. An option to display changeover of server certificates may also be a good idea.
Especially if you try and trick users on a large scale, it only takes one person to alert the authorities that something is amiss.
"And the BSI [www.bsi.de] institute (which "certified" the cards) "overlooked" this weakness, because the Germans too have a vested interested in spying on communications with Luxembourgish banks. DOUBLE FAIL."
That's a pretty serious accusation - personally I would put this strictly in the "paranoid scheming" box unless you've got anything to back up that claim.
The entire purpose of online banking is to allow its subscribers to conduct their usual transactions in a way that integrates with their daily workflow. This runs completely against that goal, since the customer would have to reboot their computer (which is an impractical solution in some situations and an impossible one in others) just to check their balances. Completely unacceptable.
Ok, you should certainly be modded up for that comment. I cannot see this work for my normal bank transactions. I *can* see this work for special bank transactions where security is really required, like accessing an account with large amounts of money, changing the way it is invested etc.. It would be an in between of handing out / buying a special device for that reason.
Of course not, RSA security is fine. It's the clients machines that get infected.
Well, I would post a howto here, were it not for the fact that I did not really do anything. It might be that you are suffering from a little to few credentials to add a USB network interface or modem driver (I don't even know which one, although I could find out) in your Linux distro.
They sure seem to be in need of a set of wheels :)
"OK, so this phone has more jam then my wife's and I's two celeron laptops, and is just about as powerful as my Sempron desktop. Why have a computer?"
Full sized keyboard and monitor? 3D graphics card? The idea that you can receive messages while doing something different with your computer?
If it supports 1920x1080 of course, you could simply buy a HDTV, a BlueTooth keyboard and use Google docs (for mundane tasks). So you could do a lot of things without buying a PC.
Flash probably won't work correctly because it never does, unless you use Windows XP or higher.
With the HTC Hero you can use the vibrate function to see if you hit a key. It's very useful, even though it lags just ever so slightly - I think they fix that in Android 2.1. The good thing about the touch screen input it that it is VERY easy to use with a single hand, holding it with the other. It's amazing how much more sense that makes - I did not expect it to matter at all when I bought the device. Basically I think the touch screen input is better, even though it is somewhat slower. The fact that you can adapt the keyboard for different inputs is a brilliant idea as well - never having to look for the @ key while typing email addresses helps tremendously.
I've got a HTC Hero with capacitive screen (as this one will have) and it is very nice to type short messages on, especially when the automatic correction can be used (e.g. internet URL's, mail addresses and CLI are a bit harder). I imagine that with a much larger screen the keyboard will be even better. You can use the trackball to precisely position the cursor. The only thing is that there is only a single, expensive stylus you can buy, and I don't see how you can use that for pixel precise input.
Tethering on the HTC Hero is completely painless if you could get rid of the limitation. It's funny, I just bought the device and my ADSL went down. Enabled tethering in the settings menu and coupled it to my Linux host using USB, expecting a few hours of fun. Literally seconds later my internet connection was established.
Now for Bluetooth tethering in 2.1, my ThinkPad is BT 2.1 enabled, so that would be great during trips - although it will drain the battery just a tad more.
The thing that *is* really painful is that my XS4ALL provider also provides WiFi hotspots, which the android phone can use without any trouble. The problem with that is that KPN, the provider of the hotspots, requires a login through HTTP redirects. This means that if I use WiFi autoconnect, all the applications stop or even crash since their packets are routed into a black hole.
Why aren't there phones where you can change the battery without loosing the connections/OS? With the current battery prices I would love to take a few charged batteries on holidays.
At least my HTC Hero will accept the bigger battery. It seems that the HTC legent uses a battery "slot" instead. That design choice will probably limit the choice of battery to use - it certainly won't fit the 3000 AH battery I just bought.
(I was about to write 3K mAH, but that's just weird)
Just plug it into the USB plug provided by your television.
All the current phones use current if you use them continuously like a computer. But that goes for all battery powered devices - if you have an LCD color screen and a reasonably fast CPU, then the power requirements will be high.
If I use my android sparingly it will last a few days, which is - imho - ample, unless I am on vacation. And when I am on vacation I just connect the phone to my laptop or any other USB enabled device. In emergencies I could even bring my charger :)
Since I am a bit of a nerd in the sense that I am behind a computer a long time of the day, the idea that you only require a mini or micro USB cable to charge your phone is simply brilliant - the phone will be right where I want it while it is charging (*and* providing an internet connection / data sync to boot).
Very good points, we'll probably have to rely on the chipset to solve those problems - the trick is keeping the latency to a minimum.
I'm not so sure SATA is the way to go for addressing Flash (or hopefully, phase change memory) in the long haul. PCI already makes more sense, initially manufacturers could just emulate the SATA part in software or hardware if required - it's a bit tricky for boot-up using a standard BIOS though.
Where are the laptops that offer a (1.8" or smaller?) SSD and a big slow inexpensive rotating platter, that's what I want to know (and where can I get one?).
And if anyone wants to produce this idea I have for a generic drive cradle that plugs into that slimline SATA DVD drive, I've got some initial drawings for free :)
In a server environment...where they are accessed continuously.
I don't understand. As long as you still treat it like a hard disk drive from within the OS and not just memory, why not use direct CPU addressing? I might be missing the point, so please enlighten me.
That was the shortest and clearest reply possible to that stupid point. Well done!
No-no-no. You need a 50 dollar gold plated monster transistor for it to sound reasonably ok. All my 5 cent transistors are solid gold.
That *was* a joke. Good gods, don't you guys think I took flexible just a tad out of context here?
What's holding down the paperless Office? The answer is mainly: you. I've been working at my IT job for a few years. Almost if not all of my communication is by mail, phone or coffee machine. I normally do not read anything offline, and if I write anything down it's because I do the exercise to remember. Only top priority notes are kept, and they are directly typed into a document on the server.
I've recently had to host a meeting with 20 persons and I just used a laptop and a projector, The persons hosting the meeting before gave everybody a lot of paper (which 90 percent won't even read because they are not directly involved). I just gave them one double sided page so they could scribble some notes next to the items on the agenda.
I absolutely hate paper when I'm at work. Office documents need versions, need to be able to be pushed around, deleted and changed. You must be able to search through them quickly. Novels are much better in a book, but at work, I'll would prefer digital versions every time (even though paper even there certainly has its advantages).
Of course I do have double screens at work, something every IT person should have - if only to minimize costs.
"I have yet to find anything that can replace the flexibility of a notepad.."
You may have to wait for the flexible eInk displays that should be coming out in a year or so.
Looking from this comment, it's for the good of all that you did not perform a code review. You seem too much of a whiner, and even worse, someone that always wants to have his way.
I have been developing for years and years and although code simplicity is an important goal, it certainly isn't the only one. Having well designed interfaces between components is - for instance - something that really pays off during maintenance. Well defined (sometimes long) variable names allow you to write less comments (that don't keep up with the actual code in many cases).
That said, I think you've certainly got your head screwed on correctly, and you make many valid points. Having a wrapper for mundane tasks like base64 certainly is not a good idea. Wrappers in general should be used sparingly, because they are often less well thought out / tested than the code they try to wrap. And they add significantly to the maintenance if they are used from multiple components.
Now, the trick is to come of your high horse and come and help. There will be people out there with different opinions, and they will write imperfect code and do things in different ways. Personally I would never use non-managed code to write business applications, but here I am typing away in Firefox on Ubuntu. See the bad and the good.
(OK, I'm going back reviewing the JSR-310 Date Time API now, 3 pages of comments and counting - reviewers, we need you!)
Huh? Wasn't it the problem that others wrote the new code? Are you trying to suggest that they should not ever rewrite BIND?