...to be able to enjoy the fruits of their own labours.......they look down on us...
Now, granted, I agree with American concept that you should be able to spell the word however you like. The US is certainly enough of a melting pot that I have no problem with immigrants, and I don't think it makes you less "american".
So I don't actually have a problem, here, I'm just curious...
That looks a bit British to me.
Maybe you know firsthand why "they" look down on "us"? Maybe you've been on both sides of that looking-down?
Oh, and I agree with you, although I don't think the US has a monopoly on stupidity. If you've looked at civil liberties, it's hard to say who's rushing to turn into a police state faster.
Let's all take a moment to reflect on the fact that it took Flash over ten versions -- worse than that, over ten years -- to get to where Quake was, well, over ten years ago.
Does anyone think it would've taken half this long if Flash had been open source? (And let's not forget -- despite all it's missing, Gnash has managed an OpenGL port.)
I only know about them because RightScale is using them.
Of course, when presented with this problem, I took an entirely different approach -- I wrote a DNS-as-REST server in Rails, and then a simple pipeclient-to-REST client/plugin for PowerDNS. The assumption is, it doesn't really have to perform well -- so long as it supports AXFR, you can set up any DNS server (or just about any provider) as a slave.
Wikipedia describes "usability" as:.. a term used to denote the ease with which people can employ a particular tool or other human-made object in order to achieve a particular goal.
Which is exactly my point. Let's take your example:
if my 4yr old daughter can pickup my iPhone and follow an intuitive interface to take a photo, view pictures, and touch an icon to call someone, all within the period of about 10 minutes,
If your goals are simple, especially if one of them is to spend as little time learning as possible, then discoverability is usability to you. And that makes sense.
If your goals are more ambitious -- say you want to enter a photography contest. We can even say your four-year-old is a prodigy, and she has a chance. In that case, you probably want a good, quality SLR camera. One which has a manual mode, if not one which is entirely manual. One for which you may need to not only read the manual, but take a course.
That's a case where the iPhone camera is not going to cut it. It is, in fact, feature-free to the point of being unusable for that purpose.
Another example: Software development. Every attempt which has been made to make this "easy" for regular office workers has resulted in disaster. I don't say "ended in disaster", because it hasn't ended -- we still have people running applications written in Excel. Various attempts at building some sort of program-building point-and-click GUI have had really clumsy and unintuitive UIs.
So, it turns out, the most usable interface for the bulk of actual software development is still a text editor. Or an IDE -- which is, honestly, a glorified text editor.
And while you might have a shot with the camera, it's unlikely you'll be able to teach yourself to program in two or three days. Even with the camera, you're not going to be 80% of an Ansel Adams in two or three days.
And if you've missed it, let me spell it out for you: Usability is, by definition, subjective, and varies depending on the person and the use case.
How long did it take you to learn how to use a computer in the first place? Your first GUI?
How about a web browser?
Granted, you need a good reason for having such a high learning curve, and most cell phone features don't really have one. But usability is about more than just discoverability and learning curve.
It is usually 200+ pages, in 5 different languages.
In other words, if you flip to your native language, you'll find that it's less than 50 pages, in one language? You don't have to read every single language, you know.
If a user cannot pickup the device and begin to use 80% of the features within a few days, then the user interface, the device, and the concept, is broken.
How long did it take you to use the machine you're typing this on?
Granted, I find most phones to be reasonably intuitive, and I find it quite absurd that most people have such trouble exploring any UI this simple. I would guess it's due to people not being taught to explore -- being taught, rather, to learn things by rote, and never vary. (I couldn't tell you, at this moment, how to clear a cookie in Firefox. But if I had Firefox open, I could find it in maybe 20 seconds.)
I imagine they could have more than one outward-facing IP. Two would mean they have two 16-bit port numbers to choose from. That would actually be enough, given that it's doubtful they're using more than a/8 network.
Of course, I'm assuming GP wasn't joking. I don't know -- never heard of China NAT-ing.
Of course all of these things will not go away just from securing domain name lookups - things get a lot easier to check when we "know" the source of the connection.
And if the "source" happens to be legitimate, but is not using DNSSEC?
I suppose I should have checked the boxes indicating people who will not put up with it.
But to look at the situation with telephones, caller ID makes a huge difference to tracking down criminals.
Caller ID is opt-out, and law enforcement has an override to the normal level of opting-out.
Countermeasures must work if phased in gradually
Lets imagine we have location security, we can begin to build a web of trust for mail servers now.
And the day when you start using that web of trust to classify mail is the day I get blocked for not participating in it.
It's also the day people in business, particularly in marketing, start to riot, because they need to be able to receive mail from anyone, so long as it's not spam. You can't have mail from a prospective customer being blocked.
That's a good point, but when companies like AOL use Spamhaus, it means a huge number of email accounts are going to drop mail from anything in that list immediately.
So while Spamhaus does "passively" list people there, let's not fool ourselves -- when they update that list, they cause people to be blocked. If an entire ISP is blocked from communicating with most email accounts out there, then that ISP is going to feel the pressure.
DNSSEC is signed DNS entries, where the fetch of each domain level retrieves a key and DNS entries signed using a private copy of that key. Client verifies entries using the public copy of the key.
So, in other words, anywhere between here and the root servers, someone could pull an effective MITM.
You still don't seem to see the difference between securing the stream, and securing information about where the stream should be sent to.
I do, it's just that SSL covers both. The difference is that the "where" in this case is not an IP address, but a private key, which is considerably more secure.
No need for rudeness. I'd suggest you read up some more on security.
I don't think I was condescending, except for mentioning the spam form -- and I think it is relevant. Let me know if I've made some incorrect assumptions:
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses ( ) Mailing lists and other legitimate email uses would be affected ( ) No one will be able to find the guy or collect the money ( ) It is defenseless against brute force attacks (X) It will stop spam for two weeks and then we'll be stuck with it ( ) Users of email will not put up with it ( ) Microsoft will not put up with it ( ) The police will not put up with it (X) Requires too much cooperation from spammers ( ) Requires immediate total cooperation from everybody at once ( ) Many email users cannot afford to lose business or alienate potential employers ( ) Spammers don't care about invalid addresses in their lists ( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it ( ) Lack of centrally controlling authority for email (X) Open relays in foreign countries ( ) Ease of searching tiny alphanumeric address space of all email addresses (X) Asshats ( ) Jurisdictional problems ( ) Unpopularity of weird new taxes ( ) Public reluctance to accept weird new forms of money ( ) Huge existing software investment in SMTP ( ) Susceptibility of protocols other than SMTP to attack ( ) Willingness of users to install OS patches received by email (X) Armies of worm riddled broadband-connected Windows boxes ( ) Eternal arms race involved in all filtering approaches ( ) Extreme profitability of spam ( ) Joe jobs and/or identity theft ( ) Technically illiterate politicians ( ) Extreme stupidity on the part of people who do business with spammers (X) Dishonesty on the part of spammers themselves ( ) Bandwidth costs that are unaffected by client filtering ( ) Outlook
and the following philosophical objections may also apply:
(X) Ideas similar to yours are easy to come up with, yet none have ever been shown practical ( ) Any scheme based on opt-out is unacceptable ( ) SMTP headers should not be the subject of legislation ( ) Blacklists suck (X) Whitelists suck ( ) We should be able to talk about Viagra without being censored ( ) Countermeasures should not involve wire fraud or credit card fraud ( ) Countermeasures should not involve sabotage of public networks (X) Countermeasures must work if phased in gradually ( ) Sending email should be free ( ) Why should we have to trust you and your servers? ( ) Incompatiblity with open source or open source licenses (X) Feel-good measures do nothing to solve the problem ( ) Temporary/one-time email addresses are cumbersome ( ) I don't want the government reading my email ( ) Killing them that way is not slow and pain
Consider a cooling system. Is there any reason that shouldn't be software-controlled? If it is, the user could conceivably turn off all fans, thus overheating the device.
Sure, you could take away enough functionality that the user can't do that. But that's the tradeoff -- functionality. No decent gun wouldn't allow you to shoot yourself in the foot.
But then, I do think Linux should be in Intel's Q&A, especially for something like a network card.
Any candidate who never bends to the realities of the situation would be a pretty horrible leader.
Let's be clear. What, precisely, do you mean by "bending to the realities of the situation"?
Do you mean we should tolerate riders on bills?
Do you mean that we should tolerate broken promises? Under what circumstances?
Using votes on particular bills in Congress as evidence that someone supports or is against various philosophies is pretty disingenuous.
That's not the problem here.
The problem is, he said, very specifically, that he would filibuster any such bill. Not "any bill that doesn't also have things on it that I want." Not "any bill that's not as bad as I thought."
No, he said any bill.
And he didn't. He even voted for said bill -- and there is no question that this bill grants retroactive immunity.
It's not a question of abstract philosophies, or even concrete ones. It's simple honesty:
He said one very specific thing that he would do. He then quietly did the opposite. That is a broken promise.
Perhaps he shouldn't have promised anything about the way he would vote. Perhaps he should have kept it abstract. Then there would actually be a debate here.
But he didn't. He promised one thing, and did another.
It's very difficult to trust a person who does that. No matter what their intentions, who is to say what it will be next time? Perhaps he'll sign a bill which grants ISPs the right to throttle anything they want, because there's something else on the bill he likes. Perhaps he'll sign a bill approving torture... Impossible to say.
It's worth mentioning that if the government is going to go to some expense to implement DNSSEC, it would be far more beneficial for them to simply SSL all their sites.
there are trivially simple ways evil hacker can present content to me that will be HTTPS and yet be going to whatever site he does control, like simply pointing an insecure FORM at an HTTPS target on a URL evil hacker DOES own
Except that if the page that form is on is encrypted, he can't intercept it and send the form. That is, unless said page is on a domain he controls, as you say -- in which case, the URL will be https://evilhackersite.com/whatever, and I won't fill out the form, nor will my browser auto-fill my information to that page.
Combine that with clever framing
Irrelevant. Still doesn't get around the problem where the root frame must be a domain I trust -- meaning that domain could very well choose not to use frames. Problem solved.
some plausible sounding URLs
Extremely unlikely that you'll be able to get a cert for https://paypals.com/, particularly an extended-validation cert.
And borderline impossible that you'll be able to get one of those for any.gov domain, which is what this is about. How, exactly, are you going to fool me into thinking I'm on an https://whatever.gov/ page when I'm not?
What's more, every single attack you've described works just as effectively over DNSSEC. There really aren't many attacks which work over DNSSEC but not HTTPS, compared to the attacks which work over HTTPS, but not DNSSEC.
Suppose I can spoof your DNS. HOW CAN YOU EVER BE SURE ANYTHING YOU DO FROM THEN ON FOREVER is not under my control?
Firstly, it's unlikely you can spoof my DNS -- I VPN home when on untrusted networks, so you won't be doing it on the Starbucks wifi.
Second, it's simple: I use HTTPS, or better. You're not getting my email, or my PayPal account, or my Slicehost account, or anything else I care about.
for spoofing with HTTPS to work without provoking some kind of warning, the spoofer needs a "valid" certificate (private key) with a valid correct certificate chain for the domain in question - it doesn't have to be the private key of the real owner...
It does, however, have to be the private key of either the real owner or someone at a CA.
What does DNSSEC provide, exactly? I don't see any kind of CA system in place.
DNSSEC helps in adding some extra confidence.
How so, if you're already using SSL?
It's like encrypting a file with single DES, and then re-encrypting that same file with AES256. WTF was the point of the DES in the first place?
But lets not forget how many people just use unsecured site access - I pop along to my bank http site to obtain a phone number to call them....
And let's not forget how many browsers don't support DNSSEC, or how many people will just use a public terminal.
If we're going to make things secure, it has to go both ways -- users have to be educated, at least somewhat ("Look for the green bar!"). If we're not going to be secure (just call a number you found on an untrusted link to your bank site, and give them all your info), what's the point of this discussion?
With how honest Obama has been lately, how can I believe those books?
He not only said he'd vote against any bill that grants telecom immunity, he said he'd filibuster such a bill.
I have heard all sorts of arguments about why it was somehow a good move. I don't care -- he said he would do one thing, and did another. We already have a blatant broken promise.
It slows down anyone who wants to manipulate the client, but it cannot ever stop them.
That's true, but slow it down enough, and it will mostly work. And unlike other forms of DRM, this isn't something you crack once and distribute via torrent -- it becomes an arms race to keep even a single game cheatable, because the next patch could always break it.
Therefore, if I want to play with people who don't cheat, all I have to do is find a decent server that stays up to date (and insists all clients do, also), and at least there's a decent chance.
Contrast this to copy protection, where it's a losing race to keep even a single game un-pirated, and where most of the measures target a very strange demographic -- namely those who would be savvy enough to share a CD amongst themselves, install daemontools and rip an image, and yet not savvy enough to know how to use torrents.
But we're not talking about DRM any more; anti-cheat protections are a different beast, and one that almost no one objects to (unless they interfere with the normal operation of the game).
Plenty of people object to Warden (from WoW), which seems to want to know and track more about the user's system than it ought to. But it helps to figure out whether or not they have a cheat program running.
And many of the same properties of DRM apply -- even the way I interpret that name (Digital Restrictions Management) applies as well. By its very nature, it limits the ways in which you use a game -- pretty much the same as DRM does.
The most fundamental difference is that DRM does not directly benefit consumers, at all. Cheat prevention does.
So, what, exactly, does Apple sell for the iPhone?
By offering up a competitor to iTunes or even to Mail.app (which offers unique integration into THEIR ecosystem), Apple would undermine their own ability to make a profit.
On hardware?
I haven't bought an iPhone, largely because of the insane amount of lock-in on the thing. I might be more likely to buy it if I knew there would be a competitor to Mail.app. So Apple has lost an iPhone sale due to this.
What, exactly, would they lose if I'd bought an iPhone and used this other app, instead of the free built-in Mail.app?
If Apple allowed a competing mail app, this would encourage more people to buy the iPhone (more money for Apple), and I'm sure they get a cut of sales through the App Store (even more money for Apple).
No one has built an effective Mail client for Mac OS X.
Thunderbird isn't effective?
No one has built a good replacement for ANY of the Mac OS X's system tools, BECAUSE Apple closes their system effectively.
Or maybe because there's really not a market for someone to duplicate the functionality of, say, Disk Utility. And there's really not a lot you can do on top of Disk Utility.
True Microsoft is the T-Rex, but they don't compete in markets like system tools, mail clients, etc.
WTF? Can it be you don't know about Outlook?
Sure, they don't ban these other markets, but it's not as though they don't attempt to compete.
And when the app you need to use to admin the device has no capacity to use a name to establish a connection?
If the app is that poorly written, what are the chances it supports IPv6 in the first place? That's a sign you should get a new app, not that there's something wrong with IPv6+DNS.
...to be able to enjoy the fruits of their own labours.... ...they look down on us...
Now, granted, I agree with American concept that you should be able to spell the word however you like. The US is certainly enough of a melting pot that I have no problem with immigrants, and I don't think it makes you less "american".
So I don't actually have a problem, here, I'm just curious...
That looks a bit British to me.
Maybe you know firsthand why "they" look down on "us"? Maybe you've been on both sides of that looking-down?
Oh, and I agree with you, although I don't think the US has a monopoly on stupidity. If you've looked at civil liberties, it's hard to say who's rushing to turn into a police state faster.
Let's all take a moment to reflect on the fact that it took Flash over ten versions -- worse than that, over ten years -- to get to where Quake was, well, over ten years ago.
Does anyone think it would've taken half this long if Flash had been open source? (And let's not forget -- despite all it's missing, Gnash has managed an OpenGL port.)
dnsmadeeasy.
I only know about them because RightScale is using them.
Of course, when presented with this problem, I took an entirely different approach -- I wrote a DNS-as-REST server in Rails, and then a simple pipeclient-to-REST client/plugin for PowerDNS. The assumption is, it doesn't really have to perform well -- so long as it supports AXFR, you can set up any DNS server (or just about any provider) as a slave.
Wikipedia describes "usability" as: .. a term used to denote the ease with which people can employ a particular tool or other human-made object in order to achieve a particular goal.
Which is exactly my point. Let's take your example:
if my 4yr old daughter can pickup my iPhone and follow an intuitive interface to take a photo, view pictures, and touch an icon to call someone, all within the period of about 10 minutes,
If your goals are simple, especially if one of them is to spend as little time learning as possible, then discoverability is usability to you. And that makes sense.
If your goals are more ambitious -- say you want to enter a photography contest. We can even say your four-year-old is a prodigy, and she has a chance. In that case, you probably want a good, quality SLR camera. One which has a manual mode, if not one which is entirely manual. One for which you may need to not only read the manual, but take a course.
That's a case where the iPhone camera is not going to cut it. It is, in fact, feature-free to the point of being unusable for that purpose.
Another example: Software development. Every attempt which has been made to make this "easy" for regular office workers has resulted in disaster. I don't say "ended in disaster", because it hasn't ended -- we still have people running applications written in Excel. Various attempts at building some sort of program-building point-and-click GUI have had really clumsy and unintuitive UIs.
So, it turns out, the most usable interface for the bulk of actual software development is still a text editor. Or an IDE -- which is, honestly, a glorified text editor.
And while you might have a shot with the camera, it's unlikely you'll be able to teach yourself to program in two or three days. Even with the camera, you're not going to be 80% of an Ansel Adams in two or three days.
And if you've missed it, let me spell it out for you: Usability is, by definition, subjective, and varies depending on the person and the use case.
Let me rephrase that, then:
How long did it take you to learn how to use a computer in the first place? Your first GUI?
How about a web browser?
Granted, you need a good reason for having such a high learning curve, and most cell phone features don't really have one. But usability is about more than just discoverability and learning curve.
It is usually 200+ pages, in 5 different languages.
In other words, if you flip to your native language, you'll find that it's less than 50 pages, in one language? You don't have to read every single language, you know.
If a user cannot pickup the device and begin to use 80% of the features within a few days, then the user interface, the device, and the concept, is broken.
How long did it take you to use the machine you're typing this on?
Granted, I find most phones to be reasonably intuitive, and I find it quite absurd that most people have such trouble exploring any UI this simple. I would guess it's due to people not being taught to explore -- being taught, rather, to learn things by rote, and never vary. (I couldn't tell you, at this moment, how to clear a cookie in Firefox. But if I had Firefox open, I could find it in maybe 20 seconds.)
I imagine they could have more than one outward-facing IP. Two would mean they have two 16-bit port numbers to choose from. That would actually be enough, given that it's doubtful they're using more than a /8 network.
Of course, I'm assuming GP wasn't joking. I don't know -- never heard of China NAT-ing.
Of course all of these things will not go away just from securing domain name lookups - things get a lot easier to check when we "know" the source of the connection.
And if the "source" happens to be legitimate, but is not using DNSSEC?
I suppose I should have checked the boxes indicating people who will not put up with it.
But to look at the situation with telephones, caller ID makes a huge difference to tracking down criminals.
Caller ID is opt-out, and law enforcement has an override to the normal level of opting-out.
Countermeasures must work if phased in gradually
Lets imagine we have location security, we can begin to build a web of trust for mail servers now.
And the day when you start using that web of trust to classify mail is the day I get blocked for not participating in it.
It's also the day people in business, particularly in marketing, start to riot, because they need to be able to receive mail from anyone, so long as it's not spam. You can't have mail from a prospective customer being blocked.
In which case, the blame would be where it belongs -- on the open source developers. At least that way, they've got an opportunity to get it right.
That's a good point, but when companies like AOL use Spamhaus, it means a huge number of email accounts are going to drop mail from anything in that list immediately.
So while Spamhaus does "passively" list people there, let's not fool ourselves -- when they update that list, they cause people to be blocked. If an entire ISP is blocked from communicating with most email accounts out there, then that ISP is going to feel the pressure.
DNSSEC is signed DNS entries, where the fetch of each domain level retrieves a key and DNS entries signed using a private copy of that key. Client verifies entries using the public copy of the key.
So, in other words, anywhere between here and the root servers, someone could pull an effective MITM.
You still don't seem to see the difference between securing the stream, and securing information about where the stream should be sent to.
I do, it's just that SSL covers both. The difference is that the "where" in this case is not an IP address, but a private key, which is considerably more secure.
No need for rudeness. I'd suggest you read up some more on security.
I don't think I was condescending, except for mentioning the spam form -- and I think it is relevant. Let me know if I've made some incorrect assumptions:
Your post advocates a
(X) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(X) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
(X) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
(X) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(X) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
(X) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
(X) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
(X) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(X) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and pain
I don't think that's entirely possible.
Consider a cooling system. Is there any reason that shouldn't be software-controlled? If it is, the user could conceivably turn off all fans, thus overheating the device.
Sure, you could take away enough functionality that the user can't do that. But that's the tradeoff -- functionality. No decent gun wouldn't allow you to shoot yourself in the foot.
But then, I do think Linux should be in Intel's Q&A, especially for something like a network card.
With DNSSEC, I have to go to the additional effort of social engineering the DNS entry too
Does DNSSEC have a concept of a certificate authority? Or could you simply spoof the DNSSEC entry as well?
the internet is not just secure websites - what about securing email?
For user-level security, there's GPG. For account-level security, there's still SSL -- HTTPS for web apps, but SSL for IMAP, also.
As I mentioned before, I'd love this since we can then begin to clear up the mess that is spam.
Should I fill out The Form for you?
Banks tend to have ridiculous security measures.
No, I don't mean "ridiculously secure", I mean ridiculously annoying, and ridiculous that anyone believes they make it more secure.
I'm particularly looking at the wish-it-was two-factor authentication. I absolutely do not want that on PayPal.
Any candidate who never bends to the realities of the situation would be a pretty horrible leader.
Let's be clear. What, precisely, do you mean by "bending to the realities of the situation"?
Do you mean we should tolerate riders on bills?
Do you mean that we should tolerate broken promises? Under what circumstances?
Using votes on particular bills in Congress as evidence that someone supports or is against various philosophies is pretty disingenuous.
That's not the problem here.
The problem is, he said, very specifically, that he would filibuster any such bill. Not "any bill that doesn't also have things on it that I want." Not "any bill that's not as bad as I thought."
No, he said any bill.
And he didn't. He even voted for said bill -- and there is no question that this bill grants retroactive immunity.
It's not a question of abstract philosophies, or even concrete ones. It's simple honesty:
He said one very specific thing that he would do. He then quietly did the opposite. That is a broken promise.
Perhaps he shouldn't have promised anything about the way he would vote. Perhaps he should have kept it abstract. Then there would actually be a debate here.
But he didn't. He promised one thing, and did another.
It's very difficult to trust a person who does that. No matter what their intentions, who is to say what it will be next time? Perhaps he'll sign a bill which grants ISPs the right to throttle anything they want, because there's something else on the bill he likes. Perhaps he'll sign a bill approving torture... Impossible to say.
HOWEVER that is rarely the case, home pages are always straight HTTP.
https://www.paypal.com/
https://mail.google.com/
It's worth mentioning that if the government is going to go to some expense to implement DNSSEC, it would be far more beneficial for them to simply SSL all their sites.
there are trivially simple ways evil hacker can present content to me that will be HTTPS and yet be going to whatever site he does control, like simply pointing an insecure FORM at an HTTPS target on a URL evil hacker DOES own
Except that if the page that form is on is encrypted, he can't intercept it and send the form. That is, unless said page is on a domain he controls, as you say -- in which case, the URL will be https://evilhackersite.com/whatever, and I won't fill out the form, nor will my browser auto-fill my information to that page.
Combine that with clever framing
Irrelevant. Still doesn't get around the problem where the root frame must be a domain I trust -- meaning that domain could very well choose not to use frames. Problem solved.
some plausible sounding URLs
Extremely unlikely that you'll be able to get a cert for https://paypals.com/, particularly an extended-validation cert.
And borderline impossible that you'll be able to get one of those for any .gov domain, which is what this is about. How, exactly, are you going to fool me into thinking I'm on an https://whatever.gov/ page when I'm not?
What's more, every single attack you've described works just as effectively over DNSSEC. There really aren't many attacks which work over DNSSEC but not HTTPS, compared to the attacks which work over HTTPS, but not DNSSEC.
Suppose I can spoof your DNS. HOW CAN YOU EVER BE SURE ANYTHING YOU DO FROM THEN ON FOREVER is not under my control?
Firstly, it's unlikely you can spoof my DNS -- I VPN home when on untrusted networks, so you won't be doing it on the Starbucks wifi.
Second, it's simple: I use HTTPS, or better. You're not getting my email, or my PayPal account, or my Slicehost account, or anything else I care about.
for spoofing with HTTPS to work without provoking some kind of warning, the spoofer needs a "valid" certificate (private key) with a valid correct certificate chain for the domain in question - it doesn't have to be the private key of the real owner...
It does, however, have to be the private key of either the real owner or someone at a CA.
What does DNSSEC provide, exactly? I don't see any kind of CA system in place.
DNSSEC helps in adding some extra confidence.
How so, if you're already using SSL?
It's like encrypting a file with single DES, and then re-encrypting that same file with AES256. WTF was the point of the DES in the first place?
But lets not forget how many people just use unsecured site access - I pop along to my bank http site to obtain a phone number to call them....
And let's not forget how many browsers don't support DNSSEC, or how many people will just use a public terminal.
If we're going to make things secure, it has to go both ways -- users have to be educated, at least somewhat ("Look for the green bar!"). If we're not going to be secure (just call a number you found on an untrusted link to your bank site, and give them all your info), what's the point of this discussion?
With how honest Obama has been lately, how can I believe those books?
He not only said he'd vote against any bill that grants telecom immunity, he said he'd filibuster such a bill.
I have heard all sorts of arguments about why it was somehow a good move. I don't care -- he said he would do one thing, and did another. We already have a blatant broken promise.
What does DNSSEC buy me if I use https?
And if irs.gov isn't supporting https, wouldn't that be the place to start, rather than DNSSEC?
But if you had any idea about his history, you wouldn't be so enthusiastic about him.
I'm not, particularly. I just can't see how he could possibly be as bad as the opposition, right now.
So, what about his history? Citation needed.
Palin has a history of kicking the asses of unethical politicians, including politicians in her own party.
Yes, when it's politically convenient for her to do so. She was all for Ted Stevens until she got the governor job -- didn't he help her with that?
It slows down anyone who wants to manipulate the client, but it cannot ever stop them.
That's true, but slow it down enough, and it will mostly work. And unlike other forms of DRM, this isn't something you crack once and distribute via torrent -- it becomes an arms race to keep even a single game cheatable, because the next patch could always break it.
Therefore, if I want to play with people who don't cheat, all I have to do is find a decent server that stays up to date (and insists all clients do, also), and at least there's a decent chance.
Contrast this to copy protection, where it's a losing race to keep even a single game un-pirated, and where most of the measures target a very strange demographic -- namely those who would be savvy enough to share a CD amongst themselves, install daemontools and rip an image, and yet not savvy enough to know how to use torrents.
But we're not talking about DRM any more; anti-cheat protections are a different beast, and one that almost no one objects to (unless they interfere with the normal operation of the game).
Plenty of people object to Warden (from WoW), which seems to want to know and track more about the user's system than it ought to. But it helps to figure out whether or not they have a cheat program running.
And many of the same properties of DRM apply -- even the way I interpret that name (Digital Restrictions Management) applies as well. By its very nature, it limits the ways in which you use a game -- pretty much the same as DRM does.
The most fundamental difference is that DRM does not directly benefit consumers, at all. Cheat prevention does.
good job /b/, this is why we cant have nice things.
That statement, verbatim, applies to so many things in life...
Apple sells software to drive hardware sales.
So, what, exactly, does Apple sell for the iPhone?
By offering up a competitor to iTunes or even to Mail.app (which offers unique integration into THEIR ecosystem), Apple would undermine their own ability to make a profit.
On hardware?
I haven't bought an iPhone, largely because of the insane amount of lock-in on the thing. I might be more likely to buy it if I knew there would be a competitor to Mail.app. So Apple has lost an iPhone sale due to this.
What, exactly, would they lose if I'd bought an iPhone and used this other app, instead of the free built-in Mail.app?
No. This is pure profit motive, that's all.
And how much profit does Apple make on Mail.app?
If Apple allowed a competing mail app, this would encourage more people to buy the iPhone (more money for Apple), and I'm sure they get a cut of sales through the App Store (even more money for Apple).
No one has built an effective Mail client for Mac OS X.
Thunderbird isn't effective?
No one has built a good replacement for ANY of the Mac OS X's system tools, BECAUSE Apple closes their system effectively.
Or maybe because there's really not a market for someone to duplicate the functionality of, say, Disk Utility. And there's really not a lot you can do on top of Disk Utility.
True Microsoft is the T-Rex, but they don't compete in markets like system tools, mail clients, etc.
WTF? Can it be you don't know about Outlook?
Sure, they don't ban these other markets, but it's not as though they don't attempt to compete.
And when the app you need to use to admin the device has no capacity to use a name to establish a connection?
If the app is that poorly written, what are the chances it supports IPv6 in the first place? That's a sign you should get a new app, not that there's something wrong with IPv6+DNS.