I do not go to church anymore... I guess you might say I've come around to secular humanism, an obligation I believe all humans have to others and the world we live in.
I suppose it's contestable -- after all, secular humanism doesn't strictly require atheism.
How do you know he did not?
I don't. The burden is on you to show that he did.
Both the courts and historians generally ascribe truthfulness to witnesses and documents.
We've discussed this, and I think I've provided very good reasons why this is a bad idea. If you wish, I can direct you to some point-by-point rebuttals of Lee Strobel.
But let's suppose Paul existed, and that he really did say everything he was supposed to have said. How do you know he wasn't on drugs? How do you know his experience on the road to Damascus was genuine?
People may name their dogs Nero, but their sons have biblical names such as David, Peter, James, Joseph had many many more.
And also Rama, Krishna, and Mohammed. So what?
millions of others all around the world have never heard of him.
They have, however, heard of the Beatles.
Act 9:7 And the men who journeyed with him stood speechless, indeed hearing a voice but seeing no one.
How do you know they weren't all under the influence of something similar?
Of course they are not evil, but lost, like sheep in the wilderness.
Yet the Bible calls them evil, and says, specifically, that they do no good. You would agree with me that this is simply wrong, as in not correct.
The stubborn persistence of religion, including atheism, speaks of the deep human need for significance and purpose.... Why do so many people WANT to believe in something or someone outside of themselves?
I am not a psychologist, but there are a few factors:
Dying sucks. We don't like the idea that we won't be here anymore.
Some people need a strong parent figure, especially when we've outgrown our real parents -- when our real father has been shown to be merely human, or even dead, who plays the role of a father in our lives? Note that it doesn't always end up being God -- sometimes, it's an abusive boyfriend, for example.
The church employs powerful psychological mechanisms, and it does so deliberately. Here's an analysis of why you believe -- in particular, I am thinking of Part 2 here.
The church provides a strong sense of community, along with several other good things (like charity), which work just as well in a secular environment -- but because the church is doing it, they get associated with the church.
When we were growing up in the Savannah, survival depended very much on pattern recognition -- we are pattern-seeking creatures. If you saw a tiger that wasn't there, you might be paranoid, but you were alive. If you didn't see a tiger that was there, you were lunch. This explains why, when you look out into the beauty of the Universe, you see God all around you -- you were evolved to see patterns and intelligences, even when they aren't there.
I could go on, but like I said, I'm not really the right person to ask. Suffice to say that there are real psychological, even physiological (brain chemistry) reasons why we, as a species, are drawn to religion.
Ease of use and security, are like so many things in life, a trade-off.
Somewhat, but they also aren't mutually exclusive.
The phenomenal success of social sites like Facebook testify to the fact that many people are more than willing to share some of their most
The kind of idiot who would forward something like that is probably the same kind of idiot who would forward the password, too.
Which is why I said to use the telephone to give them the password.
The point is that if they're going to deliberately forward something confidential, they'll find a way to do it anyway. They'll listen to you on the phone as they write it on a sticky note. Then, if they have to forward the file, they'll type it into the email.
1) Criminals who exploit novice Internet users never bother with using SSL on their phishing sites
Novice users will screw up anyway. What's important is whether the system is usable by an experienced user.
2) greater than 99% of all Internet users who encounter an SSL certificate problem simply click "Okay, proceed" without bothering to understand what the warning is trying to tell them.
Which is why modern browsers make it so difficult and scary -- especially Firefox.
In terms of trust alone, SSL on the public Internet is as bad or worse as any security theatre you'll find in an airport.
Does this also apply if used properly? And if so, how?
A self-signed certificate, however, gets you encryption without trust. That in itself is valuable to someone like me. It's incredibly unlikely that anyone would want to target me specifically to pose as my email/web server. I'm mainly concerned about preventing eavesdroppers from picking up the contents of my traffic by sniffing the wifi or compromising a router along the way.
So tell me, why would someone target you specifically as an eavesdropper, but not as a MITM? It's trivial to do over wifi, even easier if they've compromised a router.
And if they did, the chances are pretty high that I would be trying to access my server using a client that already has the certificate saved, so I would likely be warned if the certificate changed in any way.
Several people have claimed this. I'm tempted to test it, to see if browsers are actually doing the right thing here...
Finally, a lot of people fail to realize that there are plenty of situations where you can have both encryption and relative trust without needing the services of a public certificate authority. Anyone can set up their own CA and distribute the root certificate to all computers and devices that need them.
Oh, I realize that, and that's fine -- if you've actually distributed them through secure channels. That also gets you around the big giant Firefox warning.
But if you're just connecting to some random forum... no. That goes double if it's something you actually care about in any way. Think of it this way -- properly signed certificates cost on the order of $20-30 per year, and require less than an hour of your time. So you're dealing either with a complete incompetent, or someone who can't afford to spend $30/year (and an hour of some admin's time) setting up a certificate.
So yes, self-signed certificates should send up giant red flags unless there's a very good reason to trust them -- like distributing and installing the CA yourself.
yes it's an escape character in C languages. Linux uses forward slash, which is the default delimiter for regular expressions. Which gets used more often?
In my code? Strings, hands down. Regexes are useful, but are also very often the wrong tool for the job. For example, never, ever,EVER parse HTML with regexes.
Windows can be far, far more productive than Linux for anything other than running a server or using the command shell.
Please provide examples.
There are specific places Windows is more productive, and almost all of them have to do with app support. If you don't have a specific application that needs Windows (and doesn't work well under Wine), there are many reasons to prefer Linux -- sane virtual desktops, for example, or global package management, or a choice of window managers...
Anything telnet can do, SSH/OpenSSH/PuTTY can do better.
Except for the things Netcat can do better. And the things for which telnet really is the only option, like certain MUDs.
But they don't include those replacements, either. It's kind of like FTP -- I see no reason to use the FTP command on Windows, except for the nice property of being able to completely avoid IE when downloading another browser, which can be needed if IE is currently screwed up.
I guess that could be rephrased: see the padlock, you think, "Oh, I'm safer." Having the padlock their is definitely better than not, don't you think?
Nope. If you were to not show them the padlock, they'd assume their data was vulnerable, which is correct. Give them a real cert and a proper padlock, and their data is much less vulnerable.
Nothing, including your life, is absolutely safe in this world.
I never said "absolutely". However, it reduces the number of things you have to trust by an enormous amount. Going from plaintext to self-signed just means someone has a narrower window to MITM you, but for that window, you still have to trust everyone on your local wifi, everyone on any non-switched network, any routers and wires between you and the server in question, your DNS server (and anyone in a position to spoof DNS packets), etc, etc.
Going from self-signed to properly signed means you now only have to trust the certificate authority, the website in question, and the fact that there aren't yet viable quantum computers.
At least one of them I know was a Christian.
Which one, if I may ask?
I am almost positively sure that nobody will know of any of these people 3000 or more years from now.
*sigh*
And a little less than two thousand years later, we know about Nero. Indeed, some Biblical scholars suspect that Nero is what is referred to as "The Beast", which makes sense in light of Jesus' statements about returning quickly, bringing the apocalypse within the lifetime of those present.
If you really want to have this discussion, bring evidence or a good argument. You've made this exact argument before, and I've countered it before, so frankly, it's boring.
If you want to, you can read God's opinion of that otherwise well-done video. The apostle Paul wrote it down for us about 20 centuries ago.
How do you know Paul got it from God? In particular, how do you know Paul's experience on the road to Damascus was anything other than dementia?
Of course, there's the demonstrably false proposition, also from scripture, that they are all fools, and I doubt you would seriously claim that they are all evil.
Wont make any difference. Lets say Im downloading at 5mbps with my torrents and you cant make a VOIP call.
Now they double. Now I download at 10mbps and you still cant make a call.
Assuming we're actually in the same building, yeah, that's a problem. But we're not. We just happen to share an ISP.
So they double, but they leave us both still with 5 mbit connections, not 10. Now I can make a call.
Overselling is the only way youre not paying T3 fracs or multiple T1 prices for your home connection. Or paying the telco company 20 grand to drag some fiber to your home.
Well, let's see...
Back home, I have fiber. Our local government subsidized it. The ISP in question seems to be doing pretty much what I've suggested -- they buy more bandwidth as they need it, so VOIP generally Just Works, even when people are torrenting a lot. But they also cap your bandwidth, and will charge you if you use ludicrous amounts.
They basically solve this problem by providing enough bandwidth that no one ever saturates the entire pipe.
There's no way an ISP will survive without basic QoS/throttling.
Well, again, if that's really the case, I think my suggestion still holds -- it should not be the ISP making the decision about what needs to be QoS'd, or in which direction.
Then your network would become unusable for many applications as VOIP would time out, videos would stutter, etc because bulk applications are in contention for the same bandwidth. The ISP would go out of business from all the complaints.
Or they would do one of two things: Either upgrade their infrastructure, or stop overselling!
See, that wasn't hard!
If it really and truly is unmanageable, another possibility would be to provide a limited amount of high-priority bandwidth to each consumer, but let them choose how to use it. But frankly, the simplest way to deal with applications like BitTorrent is to cap people's bandwidth so they stop hogging it.
#1 and #2 -- basically, this says that they can use information from my Gmail account to send invitations from my calendar, or to manage my chat contact list, etc. It says nothing about sharing with third parties.
#3 -- so what? Really?
#4 is probably the most worrying, but it seems to me that this is referring to the datamining they do -- it doesn't seem to suggest that personal information may be used in any other way than as aggregated statistics.
Read that last one twice - it means that they only have to believe that the request for information COULD be enforced, that the requester could get a warrant, not that they actually have one.
I don't see it. I've read it three times, now, trying to see how you could interpret it that way.
It essentially says that they'll preserve enough information so that they can deal with appropriate subpoenas, if they come up. But if you look at Google's actual behavior, when law enforcement has come knocking, they often fight giving up that information.
I wouldn't trust them with anything business-related, not with such a one-sided agreement.
I'm also not clear on what "business-related" has to do with it.
But let's see...
Google only shares personal information with other companies or individuals outside of Google in the following limited circumstances:
We have your consent. We require opt-in consent for the sharing of any sensitive personal information.
We provide such information to our subsidiaries, affiliated companies or other trusted businesses or persons for the purpose of processing personal information on our behalf. We require that these parties agree to process such information based on our instructions and in compliance with this Privacy Policy and any other appropriate confidentiality and security measures.
We have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary...
The way I interpret this is that they won't share information unless you consent, unless they're legally forced to, or to the extent that they offload their processing to a third party.
Also, you've agreed to them being able to process your data outside the US, where different laws apply.
Though it seems unlikely that they'd take their business anywhere where contracts like this don't apply -- they have their own contracts they want to support.
Forget about suing - you've already said they can do it.
Could you please bring up a specific example of something they'd do that I don't want them to?
For example, I don't want them to dig through my personal emails and send them to everyone on my contact list. And according to this policy, they won't.
Also, if I may ask, who do you do business with? Who's got a better policy? Not that I doubt one exists, I'm just curious.
Come off it. Many of us have to know how to get root on any box we can get our grubby paws on.
Good for you.
Besides, good developers administer their own machines, and their own networks. If you can't admin your own linux and bsd boxes, you're simply not qualified to be develop on them.
Great! If you're qualified to develop on them, you damned-well better be qualified to set up a little crypto on your email.
You're an admin? YOU do not touch the developer boxes, YOU do not touch the svn server.
Actually, I'm a developer. But no, I don't touch the svn server, because svn sucks. Use Git, use Mercurial, use Bazaar, use just about anything you want, but don't use SVN, or CVS, or worse, Visual SourceSafe.
Heck, YOU probably don't have root on the external servers, to keep you from screwing things up.
If I was an admin? Yeah, I would have root, and the developers wouldn't, for exactly that reason. Being a developer doesn't make you a good admin, and vice versa -- though the best admins are at least decent developers, so they can automate their job away.
You're an admin for things like setting up email? Fine - go bug the Windows users.
Exactly my point. I assumed we were talking about Windows users -- the kind of people who would have trouble checking the box that says "Use SSL" in their email settings.
If you want something safe from prying eyes, email encryption doesn't do it - people forward stuff all the time. Encrypt the attachment instead...
The kind of idiot who would forward something like that is probably the same kind of idiot who would forward the password, too.
If someone is sufficiently ignorant (I just mean non-geeky; I'm not trying to insult anyone) that they get a false sense of security, don't you think they're also going to be ignorant enough to send sensitive info in plaintext?
Nope, because right now, I can educate people who are with a very simple message: "Make sure there's an https in the URL bar. If you get a green bar, even better."
In fact, I often trained people (before it became the default) to always go to https://mail.google.com instead of gmail, in order to keep the entire session secure.
With the giant Firefox warning, they'd at least have a clue something was amiss.
Suppose it was less threatening. How much good does it do to train someone to go to https://mail.google.com/ if they could be MITM'd by any idiot in a Starbucks? How much attention are they going to pay to the warning message they'll get?
Take away the AV software which gives them a false sense of security, and I think they'll still watch porn and download BonziBuddy.
True enough, but at least they're not wasting money.
But at least without the false sense of security, they'll listen when I try to teach them. Too many people have an attitude of, "Oh, I have antivirus, so I'm safe." Basically, they delegate security to some piece of software that comes in a box, so they don't have to think about it, which is exactly the wrong way to go about it.
Put another way: If someone has a general sense of malaise and they take a homeopathic remedy, they're wasting their money. If they've been shot, broken a leg, or had a heart attack, I hope they're getting some real medical attention, and not waving the EMTs away with, "It's OK, I've got St. John's Wort!"
It guarantees that nobody can eavesdrop on the conversation you're having. You just might not be talking to the person you think you're talking to.
On a wireless connection, this is pretty worthless, because everyone within range who wants to could likely MITM you, or each other. You could be "talking to" anyone in the room -- thus, anyone within range can eavesdrop on you.
This is more or less the same problem you have with passive sniffing, and there isn't really a practical difference, other than that it's safe once the cert is stored. On the other hand, if you store the wrong cert in the first place...
I mean, compare this to SSH. How do you know you're talking to the server you think you're talking to? ~/.ssh/known_hosts . Which behaves exactly as the above.
True, but in most cases, my first SSH connection to a machine is over a trusted medium, like a crossover cable or at least a local network. I then have it in known_hosts.
Note also that if the key ever changes, SSH gives you HUGE GIANT WARNINGS and refuses to connect, much like Firefox.
In what way is a self-signed cert on https less secure than an http connection?
In the sense that it gives a false sense of security -- you see 'https', you see the padlock, you think, "Oh, I'm safe."
Also in the sense that most reputable websites use real certificates, not self-signed certificates. So, for example, if my first visit to www.paypal.com shows a self-signed certificate, my browser absolutely should be slamming on the brakes.
Now, there probably could be some better UI, a way to show that this is a self-signed certificate (and thus dangerous), but that it's still more secure than plaintext.
NN generally doesnt mean the end of QoS and throttling for technical reasons (putting priority on VOIP and gaming and putting torrents and ftp to bulk).
Yes it does, and that's most of the point.
Instead, it means ending throttling and QoS for BUSINESS REASONS.
There are always business reasons.
For example: Suppose Verizon unilaterally declares VerizonVOIP, their own, proprietary protocol, to be "the standard" voice over IP, and give it priority? Or suppose they only prioritize SIP and not Skype, or vice-versa?
That is to say, Comcast isnt going to put Vonage VOIP into the bulk category because Vonage competes with their own VOIP service.
Great, they won't do it to Vonage, but what will they do about Mumble? Will they prioritize things by default? Then VOIP won't be getting the advantage it "needs". Will they "bulk" things by default? Then Mumble will suffer.
And how, exactly, do they detect "gaming"? Do I have to attach a "gaming bit" to every packet sent? Great, now all the torrent clients will start doing that by default, long before even half the games I want to play have patched in support. Short of that, they'll have to recognize specific games and protocols, which means WoW will be fine, but, say, Nexus TK will suffer.
In other words: The very large groups in need of real-time traffic will be fine. Everyone else will be worse off than we are now. Congrats, you just raised the barrier of entry to any low-latency app.
The point is that the network should be entirely neutral with respect to the bits being sent. If I want to add that kind of QoS to my own router, that's fine, but you do not get to apply it at the ISP level. If that's a problem, maybe it's time to stop claiming "unlimited" usage and such high bandwidth, and start giving me a realistic amount of bandwidth that I can use as I please.
I mean, this isn't complicated. Go back and read their statement, vague as it is:
The 'Net should operate as a place where no "central authority" can make rules that prescribe the possible, and where entrepreneurs and network providers are able to "innovate without permission.
If I have to get permission for my homebrew VOIP protocol to get priority, the network isn't neutral. If someone is arbitrarily deciding that my neighbor down the hall chatting with her friend on Skype is more important than that Linux ISO I needed 10 minutes ago, the network isn't neutral.
If it doesn't mean the end of QoS at the ISP level, it's not network neutrality.
when a person accesses cyberspace, he or she should be able to connect with any other person that he or she wants to—and that other person should be able to receive his or her message,
Yes, but how fast?
A throttled Internet is still not a neutral network.
But when my friend comes over, he can't just use my network.
So you tell him the password. He's a friend, after all.
If it's my grandmother, it's a problem.
She's that much more likely to let you actually type it into her computer.
And when it's my business, and my client comes by, I'd like it to just work -- without him having to configure his device at all.
So it'll take an extra few seconds. I realize you want to baby your client all you can, but I think he can handle typing "h0mest4r2k" or whatever your password is.
The other solution is somewhat more complex -- set up two networks, one encrypted, one not. Then you can do things like throttle the unencrypted network, block outbound port 25, etc...
And in the real business world, where the router is hidden and secured, and it can't just be reset, and it's under load, and everything else, then it winds up being a $500 piece of equipment, with a person amnaging it, and it's just all more complicated.
Actually, that makes it simpler. There's a person managing it. It's that person's job to make it do what you say. You say, "Encrypt it, please." They say, "Ok." What goes on after that is something you're not really even involved in, and however complicated, it's also something this person should be very good at.
But I drive a convertible sportscar -- a mazda mx-5. And yeah, on a nice day, I'll park it at a mall, and I'll leave the roof open. Nothing stops anyone from jumping into the car, damaging it, throwing coffee, accidentally or maliciously, or hot-wiring it and driving it away.
Key word there. Would you leave the key in the car at the mall?
Who the h*** are YOU that I should trust you, a stranger, to mess around with MY computer?
If it's a corporate environment, I'm your IT guy, and I already have Admin access to your computer. In fact, you don't.
Who's going to do all the home computers?
For the home computers, create simple, easy-to-follow instructions on the website. The real cost is going to be support calls, I suppose.
But if we're talking about a corporate environment, I'd say, what home computers? Anyone needs to work from home, give them a corporate laptop.
How are you going to monitor email and web traffic to make sure it conforms to AUP (Acceptable Use Policies) where you work and that someone's not sending your customer list to a competitor?
Well, first, there's no real way to prevent that. If the user is really determined, they'll just drop it on a flash drive, something like that.
But given that the email is going through the corporate server, I can monitor it there. If it's something end-to-end, like PGP, I either keep all the users' keys somewhere safe, or have the PGP done on the server.
Web is similar -- funnel everything through the corporate proxy.
But this is an issue that you want to address at a much more fundamental level. You want to have employees who actually care about your company, who won't want to do things like that. That means addressing this at the level of hiring, HR, management, and office space, not at the level of IT.
Because if you can't trust your employees, you really can't trust them. It's like ISPs trying to block BitTorrent -- users will find a way around it, and the more intrusive it becomes, the more likely they are to leave for greener pastures.
I trust them with a few very specific things, yes.
those CEO says If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place."
Troubling, sure, but also good advice -- and no matter what the CEO says, they are, in fact, under contract.
Their job is not protecting your privacy.
Maybe not, but they are legally bound to.
do you really think you'll win if you sue google?
Actually, yeah. It'd take a class-action, but sure. But have you actually seen a case where someone has occasion to sue Google for not protecting their privacy?
After all, they'd even have your correspondence with your lawyers,
Actually, no, they wouldn't. I currently use Gmail for my school email address, because it beats what the institution has for webmail. However, I run my own mailserver for personal correspondence.
Encrypt sensitive info as a separate attachment. It's the ONLY way to be sure.
No, you could also just PGP-encrypt all your mail. I don't currently have any mail that's sensitive enough to warrant getting off my ass and doing something about it yet, though. I just don't send sensitive information over email, I deliver it by hand, or over the phone, or via more secure protocols like SSH.
using a self-signed cert is barely better than using plaintext.
I'm going to argue that it's potentially worse, because it gives a false sense of security.
get over their foolish attitude that it's pointless to force attackers to use MitM instead of passive snooping.
It has a point right now, which is more or less security through being a harder target. If you get everyone doing it, I doubt it will help very much -- MitM is painfully easy to do over wireless, and there's at least one freely available tool which does it.
Once encryption with poorly-authenticated key exchange becomes more common, people will start to see a benefit to improving their authentication,
More likely, people will say, "I'm safe, aren't I? I'm encrypted!" And then they'll go right back to ignoring us.
Think about anti-virus. We say, "Pay attention to your security!" They say, "Ok, I'll buy some anti-virus!" And then they go right back to watching porn on IE and downloading BonziBuddy.
exert market forces within crippled single-signer systems to have cheaper CAs,
It costs something on the order of $20/year for a cert. Sure, EV certs cost more, as do wildcard certs, etc, but the base cost isn't bad.
And yeah, I would much rather see a web-of-trust scheme, or at least some more decentralization of CAs, but that really doesn't seem like the problem here. Remember, we're still talking about pretty much every organization Doing It Wrong -- I'd suggest it has much more to do with getting authorization to pay for anything, and with the hardware costs.
That said, sqlrob makes a good point. If you're going to do a self-signed cert in a corporate environment, you probably can push it out to clients easily enough.
I think the primary difference is that outside of computers and internets, security is much harder to do. For example:
Your home is easy to break into. Maybe you have a lock. Maybe you have a dead-bolt. Your locks can be carded, your dead-bolt can be picked.
Replacing those with Real Security -- even replacing a lock with a deadbolt -- requires physically dismantling part of the door, at a minimum. And you have to do that for every door you want secured that way.
Contrast with, say, replacing unencrypted wireless with WPA-encrypted wireless. Takes about two minutes with a web browser.
You wouldn't want real security at your front door, because you'd be trapped outside more often than an actual burgler.
Quite possible, but again, the implications are different. For example, take said WPA-encrypted wireless -- worst case, you have to plug a cable in physically so you can get to the admin panel and recover/reset the password. If that fails, you push the big reset button. If that still fails, you buy a new router, at a cost of maybe $30 -- and in the meantime, you can plug in physically.
Yet it still provides plenty of security, given you're probably not going to leave unattended guests around the wireless router long enough to do any damage -- this is intended more to keep your neighbors from leeching your internet.
I think the problem with your analogy is that unencrypted traffic isn't like a front door with a lock. It's like a front door without a lock. Maybe your lock can be carded, maybe your deadbolt can be picked, but would you want to actually leave your house unlocked all day?
If no one is breaking in, why would you want to slow everything down.
Blowfish still hasn't been broken, and it's fast on a Pentium -- 18 clock cycles per byte -- so on a 1 ghz CPU, that's 55 megabytes per second -- that's bytes, so more like 400-500 megabits. And that's with a hypothetical 1 ghz Pentium -- modern CPUs are both faster and more efficient, and some machines have dedicated crypto hardware.
I don't care what you're using now, but AES 256 will run just fine on it -- you will not be slowing anything down. Especially if you're talking about this:
My FTP traffic isn't that important. It's just code, and very few people think they want it.
Yeah, the amount of data you're transferring, and the speeds you're transferring it at, aren't going to be slowing anything down. But that aside...
This is probably the most common mistake people make with security -- assuming that they're safe because they're not a target, and because even if they have something semi-valuable, no human would waste their time with it.
Let me guess -- you're FTP-ing some PHP files, something like that? Maybe to a webserver? Let's start by assuming it's static HTML.
Suppose I'm a malware author. I want to spread my malware to as many target PCs as I can. That means I need it hosted in as many places as I can. That means there is an incentive (albeit a small one) to pwn your website.
It's not terribly difficult for a script to intercept your FTP traffic, grab your password (which very likely is sent in the clear) or simply hijack your session, then go looking for something like index.html to infect. It doesn't have to completely replace it, just hide an exploit somewhere on that page. Suddenly, everyone visiting your homepage is getting infected with my malware.
And let's suppose it is PHP. Even better -- now I can have every hit to your website send an email. Your webserver just became a zombie for my spamming botnet.
Finally, let's suppose my script can't figure out what to do with it -- still, if you've got a few gigabytes worth of storage, I could use it to store pirated movies, warez, etc.
And all of this can be automated, so it doesn't matter how small a target you think you are. You might not be worth my time, but you sure a
I wish Thunderbird of evolution had some type of automated system for encryption, where you tagged your public key to the bottom of every e-mail.
What? Thunderbird has had this for awhile, and so has KMail, and really any decent PGP-supporting mail client. It's not at the bottom anymore, though -- the preferred way is as an attachment.
When an in coming e-mail was detected with a key at the bottom all replys were automatically encrypted.
I suspect you can configure it this way, but it's fairly pointless -- it buys you very little unless you can verify that the key in question actually belongs to that user.
the current spam-friendly email protocols we've been living with for decades haven't been replaced with authenticated sender-based protocols,
Are you telling me there's a spam-hostile email protocol possible? How does it do with The Form?
blacklist-based antivirus hasn't been replaced by a less "lossy" model of security.
Actually, the simple replacement for all antivirus is a savvy user. I don't think that's inertia, though, I think that's a weird social block we have -- we want to make this an IT problem instead of an end-user problem, because if it was an end-user problem, we'd have to educate all the end-users, and quite possibly lose a lot of otherwise-productive people who refuse to learn tech.
Slashdot Mirror
Is putty more secure than Windows telnet while doing this?
Charles Schulz the creator of "Peanuts"
"Was" being the operative term, then. A quote:
I do not go to church anymore... I guess you might say I've come around to secular humanism, an obligation I believe all humans have to others and the world we live in.
I suppose it's contestable -- after all, secular humanism doesn't strictly require atheism.
How do you know he did not?
I don't. The burden is on you to show that he did.
Both the courts and historians generally ascribe truthfulness to witnesses and documents.
We've discussed this, and I think I've provided very good reasons why this is a bad idea. If you wish, I can direct you to some point-by-point rebuttals of Lee Strobel.
But let's suppose Paul existed, and that he really did say everything he was supposed to have said. How do you know he wasn't on drugs? How do you know his experience on the road to Damascus was genuine?
People may name their dogs Nero, but their sons have biblical names such as David, Peter, James, Joseph had many many more.
And also Rama, Krishna, and Mohammed. So what?
millions of others all around the world have never heard of him.
They have, however, heard of the Beatles.
Act 9:7 And the men who journeyed with him stood speechless, indeed hearing a voice but seeing no one.
How do you know they weren't all under the influence of something similar?
Of course they are not evil, but lost, like sheep in the wilderness.
Yet the Bible calls them evil, and says, specifically, that they do no good. You would agree with me that this is simply wrong, as in not correct.
The stubborn persistence of religion, including atheism, speaks of the deep human need for significance and purpose.... Why do so many people WANT to believe in something or someone outside of themselves?
I am not a psychologist, but there are a few factors:
I could go on, but like I said, I'm not really the right person to ask. Suffice to say that there are real psychological, even physiological (brain chemistry) reasons why we, as a species, are drawn to religion.
Ease of use and security, are like so many things in life, a trade-off.
Somewhat, but they also aren't mutually exclusive.
The phenomenal success of social sites like Facebook testify to the fact that many people are more than willing to share some of their most
The kind of idiot who would forward something like that is probably the same kind of idiot who would forward the password, too.
Which is why I said to use the telephone to give them the password.
The point is that if they're going to deliberately forward something confidential, they'll find a way to do it anyway. They'll listen to you on the phone as they write it on a sticky note. Then, if they have to forward the file, they'll type it into the email.
1) Criminals who exploit novice Internet users never bother with using SSL on their phishing sites
Novice users will screw up anyway. What's important is whether the system is usable by an experienced user.
2) greater than 99% of all Internet users who encounter an SSL certificate problem simply click "Okay, proceed" without bothering to understand what the warning is trying to tell them.
Which is why modern browsers make it so difficult and scary -- especially Firefox.
In terms of trust alone, SSL on the public Internet is as bad or worse as any security theatre you'll find in an airport.
Does this also apply if used properly? And if so, how?
A self-signed certificate, however, gets you encryption without trust. That in itself is valuable to someone like me. It's incredibly unlikely that anyone would want to target me specifically to pose as my email/web server. I'm mainly concerned about preventing eavesdroppers from picking up the contents of my traffic by sniffing the wifi or compromising a router along the way.
So tell me, why would someone target you specifically as an eavesdropper, but not as a MITM? It's trivial to do over wifi, even easier if they've compromised a router.
And if they did, the chances are pretty high that I would be trying to access my server using a client that already has the certificate saved, so I would likely be warned if the certificate changed in any way.
Several people have claimed this. I'm tempted to test it, to see if browsers are actually doing the right thing here...
Finally, a lot of people fail to realize that there are plenty of situations where you can have both encryption and relative trust without needing the services of a public certificate authority. Anyone can set up their own CA and distribute the root certificate to all computers and devices that need them.
Oh, I realize that, and that's fine -- if you've actually distributed them through secure channels. That also gets you around the big giant Firefox warning.
But if you're just connecting to some random forum... no. That goes double if it's something you actually care about in any way. Think of it this way -- properly signed certificates cost on the order of $20-30 per year, and require less than an hour of your time. So you're dealing either with a complete incompetent, or someone who can't afford to spend $30/year (and an hour of some admin's time) setting up a certificate.
So yes, self-signed certificates should send up giant red flags unless there's a very good reason to trust them -- like distributing and installing the CA yourself.
yes it's an escape character in C languages. Linux uses forward slash, which is the default delimiter for regular expressions. Which gets used more often?
In my code? Strings, hands down. Regexes are useful, but are also very often the wrong tool for the job. For example, never, ever, EVER parse HTML with regexes.
Windows can be far, far more productive than Linux for anything other than running a server or using the command shell.
Please provide examples.
There are specific places Windows is more productive, and almost all of them have to do with app support. If you don't have a specific application that needs Windows (and doesn't work well under Wine), there are many reasons to prefer Linux -- sane virtual desktops, for example, or global package management, or a choice of window managers...
Anything telnet can do, SSH/OpenSSH/PuTTY can do better.
Except for the things Netcat can do better. And the things for which telnet really is the only option, like certain MUDs.
But they don't include those replacements, either. It's kind of like FTP -- I see no reason to use the FTP command on Windows, except for the nice property of being able to completely avoid IE when downloading another browser, which can be needed if IE is currently screwed up.
I guess that could be rephrased: see the padlock, you think, "Oh, I'm safer." Having the padlock their is definitely better than not, don't you think?
Nope. If you were to not show them the padlock, they'd assume their data was vulnerable, which is correct. Give them a real cert and a proper padlock, and their data is much less vulnerable.
Nothing, including your life, is absolutely safe in this world.
I never said "absolutely". However, it reduces the number of things you have to trust by an enormous amount. Going from plaintext to self-signed just means someone has a narrower window to MITM you, but for that window, you still have to trust everyone on your local wifi, everyone on any non-switched network, any routers and wires between you and the server in question, your DNS server (and anyone in a position to spoof DNS packets), etc, etc.
Going from self-signed to properly signed means you now only have to trust the certificate authority, the website in question, and the fact that there aren't yet viable quantum computers.
At least one of them I know was a Christian.
Which one, if I may ask?
I am almost positively sure that nobody will know of any of these people 3000 or more years from now.
*sigh*
And a little less than two thousand years later, we know about Nero. Indeed, some Biblical scholars suspect that Nero is what is referred to as "The Beast", which makes sense in light of Jesus' statements about returning quickly, bringing the apocalypse within the lifetime of those present.
If you really want to have this discussion, bring evidence or a good argument. You've made this exact argument before, and I've countered it before, so frankly, it's boring.
If you want to, you can read God's opinion of that otherwise well-done video. The apostle Paul wrote it down for us about 20 centuries ago.
How do you know Paul got it from God? In particular, how do you know Paul's experience on the road to Damascus was anything other than dementia?
Of course, there's the demonstrably false proposition, also from scripture, that they are all fools, and I doubt you would seriously claim that they are all evil.
Wont make any difference. Lets say Im downloading at 5mbps with my torrents and you cant make a VOIP call.
Now they double. Now I download at 10mbps and you still cant make a call.
Assuming we're actually in the same building, yeah, that's a problem. But we're not. We just happen to share an ISP.
So they double, but they leave us both still with 5 mbit connections, not 10. Now I can make a call.
Overselling is the only way youre not paying T3 fracs or multiple T1 prices for your home connection. Or paying the telco company 20 grand to drag some fiber to your home.
Well, let's see...
Back home, I have fiber. Our local government subsidized it. The ISP in question seems to be doing pretty much what I've suggested -- they buy more bandwidth as they need it, so VOIP generally Just Works, even when people are torrenting a lot. But they also cap your bandwidth, and will charge you if you use ludicrous amounts.
They basically solve this problem by providing enough bandwidth that no one ever saturates the entire pipe.
There's no way an ISP will survive without basic QoS/throttling.
Well, again, if that's really the case, I think my suggestion still holds -- it should not be the ISP making the decision about what needs to be QoS'd, or in which direction.
Then your network would become unusable for many applications as VOIP would time out, videos would stutter, etc because bulk applications are in contention for the same bandwidth. The ISP would go out of business from all the complaints.
Or they would do one of two things: Either upgrade their infrastructure, or stop overselling!
See, that wasn't hard!
If it really and truly is unmanageable, another possibility would be to provide a limited amount of high-priority bandwidth to each consumer, but let them choose how to use it. But frankly, the simplest way to deal with applications like BitTorrent is to cap people's bandwidth so they stop hogging it.
encryption on the filesystem compared to HTTPS, which would be quite different depending on how it's implemented.
It is quite different. It's apparently initializing the session that's the bottleneck.
Now, I agree that it's a minimal cost, one which should be possible to make lower (even with HTTPS as implemented), but it's still not zero.
#1 and #2 -- basically, this says that they can use information from my Gmail account to send invitations from my calendar, or to manage my chat contact list, etc. It says nothing about sharing with third parties.
#3 -- so what? Really?
#4 is probably the most worrying, but it seems to me that this is referring to the datamining they do -- it doesn't seem to suggest that personal information may be used in any other way than as aggregated statistics.
Read that last one twice - it means that they only have to believe that the request for information COULD be enforced, that the requester could get a warrant, not that they actually have one.
I don't see it. I've read it three times, now, trying to see how you could interpret it that way.
It essentially says that they'll preserve enough information so that they can deal with appropriate subpoenas, if they come up. But if you look at Google's actual behavior, when law enforcement has come knocking, they often fight giving up that information.
I wouldn't trust them with anything business-related, not with such a one-sided agreement.
I'm also not clear on what "business-related" has to do with it.
But let's see...
Google only shares personal information with other companies or individuals outside of Google in the following limited circumstances:
The way I interpret this is that they won't share information unless you consent, unless they're legally forced to, or to the extent that they offload their processing to a third party.
Also, you've agreed to them being able to process your data outside the US, where different laws apply.
Though it seems unlikely that they'd take their business anywhere where contracts like this don't apply -- they have their own contracts they want to support.
Forget about suing - you've already said they can do it.
Could you please bring up a specific example of something they'd do that I don't want them to?
For example, I don't want them to dig through my personal emails and send them to everyone on my contact list. And according to this policy, they won't.
Also, if I may ask, who do you do business with? Who's got a better policy? Not that I doubt one exists, I'm just curious.
Come off it. Many of us have to know how to get root on any box we can get our grubby paws on.
Good for you.
Besides, good developers administer their own machines, and their own networks. If you can't admin your own linux and bsd boxes, you're simply not qualified to be develop on them.
Great! If you're qualified to develop on them, you damned-well better be qualified to set up a little crypto on your email.
You're an admin? YOU do not touch the developer boxes, YOU do not touch the svn server.
Actually, I'm a developer. But no, I don't touch the svn server, because svn sucks. Use Git, use Mercurial, use Bazaar, use just about anything you want, but don't use SVN, or CVS, or worse, Visual SourceSafe.
Heck, YOU probably don't have root on the external servers, to keep you from screwing things up.
If I was an admin? Yeah, I would have root, and the developers wouldn't, for exactly that reason. Being a developer doesn't make you a good admin, and vice versa -- though the best admins are at least decent developers, so they can automate their job away.
You're an admin for things like setting up email? Fine - go bug the Windows users.
Exactly my point. I assumed we were talking about Windows users -- the kind of people who would have trouble checking the box that says "Use SSL" in their email settings.
If you want something safe from prying eyes, email encryption doesn't do it - people forward stuff all the time. Encrypt the attachment instead...
The kind of idiot who would forward something like that is probably the same kind of idiot who would forward the password, too.
If someone is sufficiently ignorant (I just mean non-geeky; I'm not trying to insult anyone) that they get a false sense of security, don't you think they're also going to be ignorant enough to send sensitive info in plaintext?
Nope, because right now, I can educate people who are with a very simple message: "Make sure there's an https in the URL bar. If you get a green bar, even better."
In fact, I often trained people (before it became the default) to always go to https://mail.google.com instead of gmail, in order to keep the entire session secure.
With the giant Firefox warning, they'd at least have a clue something was amiss.
Suppose it was less threatening. How much good does it do to train someone to go to https://mail.google.com/ if they could be MITM'd by any idiot in a Starbucks? How much attention are they going to pay to the warning message they'll get?
Take away the AV software which gives them a false sense of security, and I think they'll still watch porn and download BonziBuddy.
True enough, but at least they're not wasting money.
But at least without the false sense of security, they'll listen when I try to teach them. Too many people have an attitude of, "Oh, I have antivirus, so I'm safe." Basically, they delegate security to some piece of software that comes in a box, so they don't have to think about it, which is exactly the wrong way to go about it.
Put another way: If someone has a general sense of malaise and they take a homeopathic remedy, they're wasting their money. If they've been shot, broken a leg, or had a heart attack, I hope they're getting some real medical attention, and not waving the EMTs away with, "It's OK, I've got St. John's Wort!"
It guarantees that nobody can eavesdrop on the conversation you're having. You just might not be talking to the person you think you're talking to.
On a wireless connection, this is pretty worthless, because everyone within range who wants to could likely MITM you, or each other. You could be "talking to" anyone in the room -- thus, anyone within range can eavesdrop on you.
This is more or less the same problem you have with passive sniffing, and there isn't really a practical difference, other than that it's safe once the cert is stored. On the other hand, if you store the wrong cert in the first place...
I mean, compare this to SSH. How do you know you're talking to the server you think you're talking to? ~/.ssh/known_hosts . Which behaves exactly as the above.
True, but in most cases, my first SSH connection to a machine is over a trusted medium, like a crossover cable or at least a local network. I then have it in known_hosts.
Note also that if the key ever changes, SSH gives you HUGE GIANT WARNINGS and refuses to connect, much like Firefox.
In what way is a self-signed cert on https less secure than an http connection?
In the sense that it gives a false sense of security -- you see 'https', you see the padlock, you think, "Oh, I'm safe."
Also in the sense that most reputable websites use real certificates, not self-signed certificates. So, for example, if my first visit to www.paypal.com shows a self-signed certificate, my browser absolutely should be slamming on the brakes.
Now, there probably could be some better UI, a way to show that this is a self-signed certificate (and thus dangerous), but that it's still more secure than plaintext.
NN generally doesnt mean the end of QoS and throttling for technical reasons (putting priority on VOIP and gaming and putting torrents and ftp to bulk).
Yes it does, and that's most of the point.
Instead, it means ending throttling and QoS for BUSINESS REASONS.
There are always business reasons.
For example: Suppose Verizon unilaterally declares VerizonVOIP, their own, proprietary protocol, to be "the standard" voice over IP, and give it priority? Or suppose they only prioritize SIP and not Skype, or vice-versa?
That is to say, Comcast isnt going to put Vonage VOIP into the bulk category because Vonage competes with their own VOIP service.
Great, they won't do it to Vonage, but what will they do about Mumble? Will they prioritize things by default? Then VOIP won't be getting the advantage it "needs". Will they "bulk" things by default? Then Mumble will suffer.
And how, exactly, do they detect "gaming"? Do I have to attach a "gaming bit" to every packet sent? Great, now all the torrent clients will start doing that by default, long before even half the games I want to play have patched in support. Short of that, they'll have to recognize specific games and protocols, which means WoW will be fine, but, say, Nexus TK will suffer.
In other words: The very large groups in need of real-time traffic will be fine. Everyone else will be worse off than we are now. Congrats, you just raised the barrier of entry to any low-latency app.
The point is that the network should be entirely neutral with respect to the bits being sent. If I want to add that kind of QoS to my own router, that's fine, but you do not get to apply it at the ISP level. If that's a problem, maybe it's time to stop claiming "unlimited" usage and such high bandwidth, and start giving me a realistic amount of bandwidth that I can use as I please.
I mean, this isn't complicated. Go back and read their statement, vague as it is:
The 'Net should operate as a place where no "central authority" can make rules that prescribe the possible, and where entrepreneurs and network providers are able to "innovate without permission.
If I have to get permission for my homebrew VOIP protocol to get priority, the network isn't neutral. If someone is arbitrarily deciding that my neighbor down the hall chatting with her friend on Skype is more important than that Linux ISO I needed 10 minutes ago, the network isn't neutral.
If it doesn't mean the end of QoS at the ISP level, it's not network neutrality.
There's still this problem:
when a person accesses cyberspace, he or she should be able to connect with any other person that he or she wants to—and that other person should be able to receive his or her message,
Yes, but how fast?
A throttled Internet is still not a neutral network.
But when my friend comes over, he can't just use my network.
So you tell him the password. He's a friend, after all.
If it's my grandmother, it's a problem.
She's that much more likely to let you actually type it into her computer.
And when it's my business, and my client comes by, I'd like it to just work -- without him having to configure his device at all.
So it'll take an extra few seconds. I realize you want to baby your client all you can, but I think he can handle typing "h0mest4r2k" or whatever your password is.
The other solution is somewhat more complex -- set up two networks, one encrypted, one not. Then you can do things like throttle the unencrypted network, block outbound port 25, etc...
And in the real business world, where the router is hidden and secured, and it can't just be reset, and it's under load, and everything else, then it winds up being a $500 piece of equipment, with a person amnaging it, and it's just all more complicated.
Actually, that makes it simpler. There's a person managing it. It's that person's job to make it do what you say. You say, "Encrypt it, please." They say, "Ok." What goes on after that is something you're not really even involved in, and however complicated, it's also something this person should be very good at.
But I drive a convertible sportscar -- a mazda mx-5. And yeah, on a nice day, I'll park it at a mall, and I'll leave the roof open. Nothing stops anyone from jumping into the car, damaging it, throwing coffee, accidentally or maliciously, or hot-wiring it and driving it away.
Key word there. Would you leave the key in the car at the mall?
Who the h*** are YOU that I should trust you, a stranger, to mess around with MY computer?
If it's a corporate environment, I'm your IT guy, and I already have Admin access to your computer. In fact, you don't.
Who's going to do all the home computers?
For the home computers, create simple, easy-to-follow instructions on the website. The real cost is going to be support calls, I suppose.
But if we're talking about a corporate environment, I'd say, what home computers? Anyone needs to work from home, give them a corporate laptop.
How are you going to monitor email and web traffic to make sure it conforms to AUP (Acceptable Use Policies) where you work and that someone's not sending your customer list to a competitor?
Well, first, there's no real way to prevent that. If the user is really determined, they'll just drop it on a flash drive, something like that.
But given that the email is going through the corporate server, I can monitor it there. If it's something end-to-end, like PGP, I either keep all the users' keys somewhere safe, or have the PGP done on the server.
Web is similar -- funnel everything through the corporate proxy.
But this is an issue that you want to address at a much more fundamental level. You want to have employees who actually care about your company, who won't want to do things like that. That means addressing this at the level of hiring, HR, management, and office space, not at the level of IT.
Because if you can't trust your employees, you really can't trust them. It's like ISPs trying to block BitTorrent -- users will find a way around it, and the more intrusive it becomes, the more likely they are to leave for greener pastures.
you trust an advertising company
I trust them with a few very specific things, yes.
those CEO says If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place."
Troubling, sure, but also good advice -- and no matter what the CEO says, they are, in fact, under contract.
Their job is not protecting your privacy.
Maybe not, but they are legally bound to.
do you really think you'll win if you sue google?
Actually, yeah. It'd take a class-action, but sure. But have you actually seen a case where someone has occasion to sue Google for not protecting their privacy?
After all, they'd even have your correspondence with your lawyers,
Actually, no, they wouldn't. I currently use Gmail for my school email address, because it beats what the institution has for webmail. However, I run my own mailserver for personal correspondence.
Encrypt sensitive info as a separate attachment. It's the ONLY way to be sure.
No, you could also just PGP-encrypt all your mail. I don't currently have any mail that's sensitive enough to warrant getting off my ass and doing something about it yet, though. I just don't send sensitive information over email, I deliver it by hand, or over the phone, or via more secure protocols like SSH.
using a self-signed cert is barely better than using plaintext.
I'm going to argue that it's potentially worse, because it gives a false sense of security.
get over their foolish attitude that it's pointless to force attackers to use MitM instead of passive snooping.
It has a point right now, which is more or less security through being a harder target. If you get everyone doing it, I doubt it will help very much -- MitM is painfully easy to do over wireless, and there's at least one freely available tool which does it.
Once encryption with poorly-authenticated key exchange becomes more common, people will start to see a benefit to improving their authentication,
More likely, people will say, "I'm safe, aren't I? I'm encrypted!" And then they'll go right back to ignoring us.
Think about anti-virus. We say, "Pay attention to your security!" They say, "Ok, I'll buy some anti-virus!" And then they go right back to watching porn on IE and downloading BonziBuddy.
exert market forces within crippled single-signer systems to have cheaper CAs,
It costs something on the order of $20/year for a cert. Sure, EV certs cost more, as do wildcard certs, etc, but the base cost isn't bad.
And yeah, I would much rather see a web-of-trust scheme, or at least some more decentralization of CAs, but that really doesn't seem like the problem here. Remember, we're still talking about pretty much every organization Doing It Wrong -- I'd suggest it has much more to do with getting authorization to pay for anything, and with the hardware costs.
That's a Good Thing.
That said, sqlrob makes a good point. If you're going to do a self-signed cert in a corporate environment, you probably can push it out to clients easily enough.
I think the primary difference is that outside of computers and internets, security is much harder to do. For example:
Your home is easy to break into. Maybe you have a lock. Maybe you have a dead-bolt. Your locks can be carded, your dead-bolt can be picked.
Replacing those with Real Security -- even replacing a lock with a deadbolt -- requires physically dismantling part of the door, at a minimum. And you have to do that for every door you want secured that way.
Contrast with, say, replacing unencrypted wireless with WPA-encrypted wireless. Takes about two minutes with a web browser.
You wouldn't want real security at your front door, because you'd be trapped outside more often than an actual burgler.
Quite possible, but again, the implications are different. For example, take said WPA-encrypted wireless -- worst case, you have to plug a cable in physically so you can get to the admin panel and recover/reset the password. If that fails, you push the big reset button. If that still fails, you buy a new router, at a cost of maybe $30 -- and in the meantime, you can plug in physically.
Yet it still provides plenty of security, given you're probably not going to leave unattended guests around the wireless router long enough to do any damage -- this is intended more to keep your neighbors from leeching your internet.
I think the problem with your analogy is that unencrypted traffic isn't like a front door with a lock. It's like a front door without a lock. Maybe your lock can be carded, maybe your deadbolt can be picked, but would you want to actually leave your house unlocked all day?
If no one is breaking in, why would you want to slow everything down.
Blowfish still hasn't been broken, and it's fast on a Pentium -- 18 clock cycles per byte -- so on a 1 ghz CPU, that's 55 megabytes per second -- that's bytes, so more like 400-500 megabits. And that's with a hypothetical 1 ghz Pentium -- modern CPUs are both faster and more efficient, and some machines have dedicated crypto hardware.
I don't care what you're using now, but AES 256 will run just fine on it -- you will not be slowing anything down. Especially if you're talking about this:
My FTP traffic isn't that important. It's just code, and very few people think they want it.
Yeah, the amount of data you're transferring, and the speeds you're transferring it at, aren't going to be slowing anything down. But that aside...
This is probably the most common mistake people make with security -- assuming that they're safe because they're not a target, and because even if they have something semi-valuable, no human would waste their time with it.
Let me guess -- you're FTP-ing some PHP files, something like that? Maybe to a webserver? Let's start by assuming it's static HTML.
Suppose I'm a malware author. I want to spread my malware to as many target PCs as I can. That means I need it hosted in as many places as I can. That means there is an incentive (albeit a small one) to pwn your website.
It's not terribly difficult for a script to intercept your FTP traffic, grab your password (which very likely is sent in the clear) or simply hijack your session, then go looking for something like index.html to infect. It doesn't have to completely replace it, just hide an exploit somewhere on that page. Suddenly, everyone visiting your homepage is getting infected with my malware.
And let's suppose it is PHP. Even better -- now I can have every hit to your website send an email. Your webserver just became a zombie for my spamming botnet.
Finally, let's suppose my script can't figure out what to do with it -- still, if you've got a few gigabytes worth of storage, I could use it to store pirated movies, warez, etc.
And all of this can be automated, so it doesn't matter how small a target you think you are. You might not be worth my time, but you sure a
I wish Thunderbird of evolution had some type of automated system for encryption, where you tagged your public key to the bottom of every e-mail.
What? Thunderbird has had this for awhile, and so has KMail, and really any decent PGP-supporting mail client. It's not at the bottom anymore, though -- the preferred way is as an attachment.
When an in coming e-mail was detected with a key at the bottom all replys were automatically encrypted.
I suspect you can configure it this way, but it's fairly pointless -- it buys you very little unless you can verify that the key in question actually belongs to that user.
I was with you up till here:
the current spam-friendly email protocols we've been living with for decades haven't been replaced with authenticated sender-based protocols,
Are you telling me there's a spam-hostile email protocol possible? How does it do with The Form?
blacklist-based antivirus hasn't been replaced by a less "lossy" model of security.
Actually, the simple replacement for all antivirus is a savvy user. I don't think that's inertia, though, I think that's a weird social block we have -- we want to make this an IT problem instead of an end-user problem, because if it was an end-user problem, we'd have to educate all the end-users, and quite possibly lose a lot of otherwise-productive people who refuse to learn tech.