You shouldn't have to trust your upstream routers. Instead you should assume they're compromised and use end-to-end encryption. HTTPS and SSH, for example, specifically protect against active attackers such as malicious routers.
Those guys are doing it wrong. First, automatically assigning 2 IP addresses per VPS, no questions asked, is extremely wasteful, is part of the problem, and is actually in violation of ARIN rules which state that there must be valid justification for every IP address issued. At least they're going down to just one address by default. Linode, in stark contrast, only issues one IPv4 address by default and really puts you through the ringer if you want more. AFAIK they'll only give you extras if you're running HTTPS vhosts with distinct certificates (and they check too!).
Second, while I commend them on offering IPv6, they only give you 3 addresses??? IPv6 has been designed to support large allocations of addresses to end-users. Comcast currently routes a/64 to each customer (1 subnet, or 2^64 addresses), and many hosting companies also route/64's or larger to each server. Heck, Hurricane Electric's free IPv6 tunnel service will route you a whole/48 (65536 subnets, or 2^80 addresses).
It's single-stakeholder in the sense that it's an entirely political body, comprised of governments whose interests probably include tighter control of the Internet. I doubt they'd be any less tyrannical than the US with copyright enforcement, but they'd probably be more tyrannical with unpopular speech such as blasphemy, which is currently quite well protected by the 1st Amendment.
I'd rather see the Internet overseen by a neutral, international, non-profit, non-governmental organization headquartered in Switzerland, similar to the International Red Cross. I think such an organization could live up to those ideals.
That far outweighs the miniscule extra sales they'd get from the few people who'd actually care.
It's not about the sales to the few people who would flash their phones. However, it's those few people who will innovate and experiment and improve the platform, leading to many more sales down the road to ordinary consumers. We've already got three mobile platforms where the only innovation possible by outside developers is just to develop new apps within the constraints of the platform. A truly "new" phone would allow developers to innovate everywhere
They say they're trying to make something different from iPhone/Android/Windows, but this is disappointingly old and uninnovative thinking:
"The phone will be a smartphone for mass market. It will not be a tech phone intended for Linux hackers. Consumers are not able to hack the kernel or flash new software for the device."
They're right to be going straight for mass market (unlike OpenMoko), but why are they considering these mutually exclusive? What's wrong with letting people flash the device if they want to? The best way to get a new and innovative phone would be to make it truly open.
First, X network transparency is not used just by sysadmins. At my university it's used every day by students who ssh into lab computers and run X software. They're not sysadmins. Many aren't even power users. They just know that if they ssh from their laptops (be it Mac OS X or Windows with an X server installed), they can simply run an app and it works. They don't care if it's slightly more smoothy drawn; they just want to get their work done. This guy's girlfriend (who doesn't even know what X is) X forwards Thunderbird from her desktop to her laptop. One of the libraries in the Australian Museum in Sydney has (or had, I haven't been there in a while) a row of thin clients which X forward web browsers from a server in some back room. These are real world examples of non-sysadmins using X forwarding.
But I don't really care if it's sysadmins or non-sysadmins using this. The fact is, the people behind Wayland are removing functionality from a very core part of a Linux system, largely so they can provide slightly prettier graphics. This is not a tradeoff that should be made for any feature, whether it's used by sysadmins, or scientists, or writers, or artists.
And it's not true that X will always be there. X is being kept around solely to help the transition. What do all these people do once apps start becoming Wayland-only?
I don't think running a VNC server bound to 127.0.0.1 with port forwarded through a ssh tunnel (ssh -L5900:localhost:5900) is much more complicated neither insecure.
Is this a joke? Here are some of the missing steps in the VNC "solution":
Starting the VNC server, with all the right arguments, on the remote end
Making sure applications on the remote end will display on the VNC server (e.g. setting your DISPLAY variable)
Starting the VNC client on the local end, with all the right arguments
Determining what port number to use - if there's another VNC server running already on 5900 (on either end) you would conflict - this would definitely happen in practice if you have ssh sessions to several systems open at once
Securing the VNC server against unauthorized access if there are other users on either the remote or the local end
One of the features that always distinguished X from other display systems like Mac and Windows has been network transparency. You can ssh to another Linux system, start an X application, and that X application will appear on the system you ssh'd from. This is immensely useful and evidence of a well-thought-out design, but it's an afterthought to Wayland. They say they might be able to render to a VNC server, but VNC works like crap and is full-desktop forwarding rather than individual window forwarding.
It's extremely ironic that when X was created in the 80s they recognized the importance of distributed systems and network transparency, but now it's 2012, the Internet and the cloud is king, yet network transparency isn't a core feature.
Seriously. Who don't more people ask this? Check out the Wikipedia article Terrorism in Australia and notice not only the shortness of the article, but also the distinct lack of aviation attacks. It will only take one death from cancer caused by these body scanners and they will have caused more aviation deaths in Australia than terrorists.
This is very disappointing, especially after the EU passed strict body scanner regulations, which both banned X-ray scanners and required passengers be allowed to opt-out of non-X-ray scanners. Germany scrapped all body scanners, not just because of the health concerns, but because they actually don't work. I know someone who accidentally took his pocket knife through security and the body scanner didn't detect it. These things aren't making anyone safer: between the decreased effectiveness and the cancer risk, they're actually making flying more dangerous.
1. A deeply intellectual corporate cultural, with 70% of its workforce having PhDs (I don't know if this is still true.) This includes the "20%" concept, whereby all Google staff is given free-reign to research what interests them 1 day out of 5. Google, to me, recalls the days of business-as-research-endeavor, the era of Xerox Parc and Bell Labs and the intellectual energy they represented.
You mean the Bell Labs which allowed their staff to do whatever interested them five days out of five? Sorry, there's no comparison. Google is business-to-make-money, not business-as-research.
A few mailboxes (20 out of 200) had the wrong mail migrated into them. We don't even know the source of this problem yet, but the university could very well have TOLD Google to put sally.smith's e-mail into sally.jones' new mail box.
This isn't a google apps security problem. Please RTFA and get off your high horse.
No, why don't you RTFA and get off your high horse. According to an article linked from TFA, Google acknowledged the problem was on their end, and an earlier comment from a Brown sysadmin indicates that Google upgraded their migration tool right before this happened. It may have "only" been 20 out of 200 accounts, but the problem is squarely Google's fault; stop blaming the Brown sysadmins.
My impression is that this incident is a fuckup at the customer end of things
No, according to this article, "The problem was on Google's end. They acknowledged a bug," and according to this comment, Google had upgraded their IMAP migration tool right before this happened.
Sounds like a case of insufficient testing on Google's part before rolling out the new version of their tool.
SSL is not supposed to be preventing MITM nor is it supposed to be for identifying purposes.
I disagree. Why else does SSL have certificate signing capabilities? SSL even has client-side certificates for client identification, though it isn't widely used in HTTPS. In order for any asymmetric cryptosystem to work you need to exchange public keys, and you always have to establish some kind of trust system for those keys.
We have other technologies for that like PGP but the internet relies on anonymity so you're never 100% sure that you're going to talk to the correct persons.
Hence the need for SSL.
Even with PGP, your initial communications will have to be trusted (eg. you personally hand over or get a key) or any subsequent communications will be compromised. SSL doesn't even go that far because every communication is viewed as an initial communication. If the certificate is re-signed or changed to another CA the next day, your browser will not complain as long as that CA is in it's trusted root certificates.
This is a fault of how the key management in SSL has been implemented in web browsers, but says nothing about the technology itself. Two examples of systems using SSL with better (but less convenient) key management systems are OpenSSH and OpenVPN.
It's the browsers fault and the CA's as well (with VeriSign the biggest) by asserting that SSL certificates can be used to authenticate an entity rather than a communications.
There's a middle ground between "entity" and "communications." Yes, it is very difficult to verify that a certificate is being issued to the entity "Bank of America," but it should not be hard to verify that you're issuing a certificate to the domain name www.bankofamerica.com. And the latter is all you need to protect against MITM.
I'm as libertarian free-rights paranoid as the next slashdotter (while not quite), but a healthy dose of history here. Customs, border crossings, etc. have never had anything to do with democratic values
Completely incorrect. Many of the British actions to diminish liberty in the 1700s were directly related to enforcing customs and duties: writs of assistance, vice-admiralty courts, etc. The Founding Fathers were reacting in part against British regulation of customs and duties so many of the "democratic values" like the 4th Amendment, the requirement that trials be held in the locality where the crime was committed, etc, were in fact developed in response to customs enforcement.
The most poignant example is writs of assistance. These were open-ended search warrants that authorized the holder to conduct any search whatsoever and were issued to British customs officers in the colonies to catch smugglers. They outraged the colonists, who saw them as an affront to their liberty, and directly led to the requirement for specific search warrants in the early state constitutions and later in the 4th Amendment.
I find it most ironic that the restrictions on search warrants came in response to arbitrary customs enforcement by British customs officers, but today no restrictions at all apply to searches by American customs officers. Whatever court ruled that the 4th Amendment doesn't apply to border crossings ignored significant precedence to the contrary.
Ubuntu certainly isn't windows. That is why you can open the package manager and purge most of the stuff that you find bloated, or use Xubuntu, which is designed to have lower requirements yet still be easy to use.
The problem with this picture is that Xubuntu isn't the default Ubuntu. The fact that Xubuntu is both easy to use and lightweight shows that increased bloat and power consumption is not a trade-off for usability. Certainly, eye candy like Compiz will have a trade-off, but even with Compiz turned off, GNOME in Ubuntu is far more bloated than Xfce in Xubuntu. The reason for that bloat is not more functionality or better usability, but bad code. We should put our energy towards writing good code, and stop treating usability and efficiency as mutually exclusive.
This seems quite similar to how scripts work in Unix-land. If you're writing a script in the KornShell language, you put the "#!/bin/ksh" header on the first line of the script. When the script runs, it asks for help from/bin/ksh to execute. Surely that concept has been around longer than this absurd patent?
No, major news sources regularly write up standard articles/obituaries for old famous people. In fact, last year in April, CNN accidentally made public obituaries on their website for Cheney, Reagan, the Pope, Fidel Castro, and others.
Actually, Safari is partially vulnerable also. I tried it on my friend's Powerbook G4 a few days ago and it does exactly the same thing as Mozilla/Firebird. He may be using an old version of Safari, however.
I'm all for fuel cells, and I'd love to see them put in every car, but they're just way to expensive for them to catch on soon. It's common knowledge that hydrogen is four times more expensive to make as opposed to gasoline. In addition, the fuel cells themselves are 10 times more expensive to build than a conventional automobile engine. Hopefully we'll see some healthy competition that will drive the cost down, but I predict it will be a while before it's as affordable as conventionally powered vehicles.
There's absolutely no way for them to prove whether they sent it up to space or not. They could just burnbag the mail and you would never know. Even if they did send it to space, would you expect a reply?
Assuming they did send it to space, would you get refunded if the letter was on a shuttle that had a Columbia-like disaster?
Personally, I'm pretty annoyed by all this. I've been using Phoenix (or Firebird, whatever I should call it) since the 0.2 release. I think it's a great alternative to big, bloated Mozilla. But now the default Mozilla browser will become Phoenix!!!??? Give it a few years and I bet it'll be just as bloated as Mozilla is now. Even the name "Mozilla" has a bad karma.
Slashdot Mirror
You shouldn't have to trust your upstream routers. Instead you should assume they're compromised and use end-to-end encryption. HTTPS and SSH, for example, specifically protect against active attackers such as malicious routers.
Those guys are doing it wrong. First, automatically assigning 2 IP addresses per VPS, no questions asked, is extremely wasteful, is part of the problem, and is actually in violation of ARIN rules which state that there must be valid justification for every IP address issued. At least they're going down to just one address by default. Linode, in stark contrast, only issues one IPv4 address by default and really puts you through the ringer if you want more. AFAIK they'll only give you extras if you're running HTTPS vhosts with distinct certificates (and they check too!).
Second, while I commend them on offering IPv6, they only give you 3 addresses??? IPv6 has been designed to support large allocations of addresses to end-users. Comcast currently routes a /64 to each customer (1 subnet, or 2^64 addresses), and many hosting companies also route /64's or larger to each server. Heck, Hurricane Electric's free IPv6 tunnel service will route you a whole /48 (65536 subnets, or 2^80 addresses).
It's single-stakeholder in the sense that it's an entirely political body, comprised of governments whose interests probably include tighter control of the Internet. I doubt they'd be any less tyrannical than the US with copyright enforcement, but they'd probably be more tyrannical with unpopular speech such as blasphemy, which is currently quite well protected by the 1st Amendment.
I'd rather see the Internet overseen by a neutral, international, non-profit, non-governmental organization headquartered in Switzerland, similar to the International Red Cross. I think such an organization could live up to those ideals.
It's not about the sales to the few people who would flash their phones. However, it's those few people who will innovate and experiment and improve the platform, leading to many more sales down the road to ordinary consumers. We've already got three mobile platforms where the only innovation possible by outside developers is just to develop new apps within the constraints of the platform. A truly "new" phone would allow developers to innovate everywhere
They're right to be going straight for mass market (unlike OpenMoko), but why are they considering these mutually exclusive? What's wrong with letting people flash the device if they want to? The best way to get a new and innovative phone would be to make it truly open.
This is getting out hand.
First, X network transparency is not used just by sysadmins. At my university it's used every day by students who ssh into lab computers and run X software. They're not sysadmins. Many aren't even power users. They just know that if they ssh from their laptops (be it Mac OS X or Windows with an X server installed), they can simply run an app and it works. They don't care if it's slightly more smoothy drawn; they just want to get their work done. This guy's girlfriend (who doesn't even know what X is) X forwards Thunderbird from her desktop to her laptop. One of the libraries in the Australian Museum in Sydney has (or had, I haven't been there in a while) a row of thin clients which X forward web browsers from a server in some back room. These are real world examples of non-sysadmins using X forwarding.
But I don't really care if it's sysadmins or non-sysadmins using this. The fact is, the people behind Wayland are removing functionality from a very core part of a Linux system, largely so they can provide slightly prettier graphics. This is not a tradeoff that should be made for any feature, whether it's used by sysadmins, or scientists, or writers, or artists.
And it's not true that X will always be there. X is being kept around solely to help the transition. What do all these people do once apps start becoming Wayland-only?
Is this a joke? Here are some of the missing steps in the VNC "solution":
One of the features that always distinguished X from other display systems like Mac and Windows has been network transparency. You can ssh to another Linux system, start an X application, and that X application will appear on the system you ssh'd from. This is immensely useful and evidence of a well-thought-out design, but it's an afterthought to Wayland. They say they might be able to render to a VNC server, but VNC works like crap and is full-desktop forwarding rather than individual window forwarding.
It's extremely ironic that when X was created in the 80s they recognized the importance of distributed systems and network transparency, but now it's 2012, the Internet and the cloud is king, yet network transparency isn't a core feature.
All this because you can't cross-fade when switching VTs in X or have a "rotating cube" animation (see "Is wayland replacing the X server").
Seriously. Who don't more people ask this? Check out the Wikipedia article Terrorism in Australia and notice not only the shortness of the article, but also the distinct lack of aviation attacks. It will only take one death from cancer caused by these body scanners and they will have caused more aviation deaths in Australia than terrorists.
This is very disappointing, especially after the EU passed strict body scanner regulations, which both banned X-ray scanners and required passengers be allowed to opt-out of non-X-ray scanners. Germany scrapped all body scanners, not just because of the health concerns, but because they actually don't work . I know someone who accidentally took his pocket knife through security and the body scanner didn't detect it. These things aren't making anyone safer: between the decreased effectiveness and the cancer risk, they're actually making flying more dangerous.
You mean the Bell Labs which allowed their staff to do whatever interested them five days out of five? Sorry, there's no comparison. Google is business-to-make-money, not business-as-research.
No, why don't you RTFA and get off your high horse. According to an article linked from TFA, Google acknowledged the problem was on their end, and an earlier comment from a Brown sysadmin indicates that Google upgraded their migration tool right before this happened. It may have "only" been 20 out of 200 accounts, but the problem is squarely Google's fault; stop blaming the Brown sysadmins.
No, according to this article, "The problem was on Google's end. They acknowledged a bug," and according to this comment, Google had upgraded their IMAP migration tool right before this happened.
Sounds like a case of insufficient testing on Google's part before rolling out the new version of their tool.
I disagree. Why else does SSL have certificate signing capabilities? SSL even has client-side certificates for client identification, though it isn't widely used in HTTPS. In order for any asymmetric cryptosystem to work you need to exchange public keys, and you always have to establish some kind of trust system for those keys.
Hence the need for SSL.
This is a fault of how the key management in SSL has been implemented in web browsers, but says nothing about the technology itself. Two examples of systems using SSL with better (but less convenient) key management systems are OpenSSH and OpenVPN.
There's a middle ground between "entity" and "communications." Yes, it is very difficult to verify that a certificate is being issued to the entity "Bank of America," but it should not be hard to verify that you're issuing a certificate to the domain name www.bankofamerica.com. And the latter is all you need to protect against MITM.
Completely incorrect. Many of the British actions to diminish liberty in the 1700s were directly related to enforcing customs and duties: writs of assistance, vice-admiralty courts, etc. The Founding Fathers were reacting in part against British regulation of customs and duties so many of the "democratic values" like the 4th Amendment, the requirement that trials be held in the locality where the crime was committed, etc, were in fact developed in response to customs enforcement.
The most poignant example is writs of assistance. These were open-ended search warrants that authorized the holder to conduct any search whatsoever and were issued to British customs officers in the colonies to catch smugglers. They outraged the colonists, who saw them as an affront to their liberty, and directly led to the requirement for specific search warrants in the early state constitutions and later in the 4th Amendment.
I find it most ironic that the restrictions on search warrants came in response to arbitrary customs enforcement by British customs officers, but today no restrictions at all apply to searches by American customs officers. Whatever court ruled that the 4th Amendment doesn't apply to border crossings ignored significant precedence to the contrary.
See Writ of Assistance in Wikipedia for a pretty decent overview.
This seems quite similar to how scripts work in Unix-land. If you're writing a script in the KornShell language, you put the "#!/bin/ksh" header on the first line of the script. When the script runs, it asks for help from /bin/ksh to execute. Surely that concept has been around longer than this absurd patent?
No, major news sources regularly write up standard articles/obituaries for old famous people. In fact, last year in April, CNN accidentally made public obituaries on their website for Cheney, Reagan, the Pope, Fidel Castro, and others.
Actually, according to this article, RMS rarely uses X. He uses mostly emacs on the console.
Actually, Safari is partially vulnerable also. I tried it on my friend's Powerbook G4 a few days ago and it does exactly the same thing as Mozilla/Firebird. He may be using an old version of Safari, however.
I'm all for fuel cells, and I'd love to see them put in every car, but they're just way to expensive for them to catch on soon. It's common knowledge that hydrogen is four times more expensive to make as opposed to gasoline. In addition, the fuel cells themselves are 10 times more expensive to build than a conventional automobile engine. Hopefully we'll see some healthy competition that will drive the cost down, but I predict it will be a while before it's as affordable as conventionally powered vehicles.
And not to mention those oil companies...
There's absolutely no way for them to prove whether they sent it up to space or not. They could just burnbag the mail and you would never know. Even if they did send it to space, would you expect a reply?
Assuming they did send it to space, would you get refunded if the letter was on a shuttle that had a Columbia-like disaster?
Question (2) is a very good point.
Personally, I'm pretty annoyed by all this. I've been using Phoenix (or Firebird, whatever I should call it) since the 0.2 release. I think it's a great alternative to big, bloated Mozilla. But now the default Mozilla browser will become Phoenix!!!??? Give it a few years and I bet it'll be just as bloated as Mozilla is now. Even the name "Mozilla" has a bad karma.