We all remember what Steve Jobs was saying that Apple had "no plans at the current time to make a tablet." We are now 9 years in the future so it is hardly "the current time" that he was referring to. I know it is fashionable here on Slashdot to make fun of Apple but this time there is nothing to laugh at. He was talking about how tablets suck, not that people won't by them, and quite frankly I can only agree with him.
Before anyone jumps to the conclusion that green technology is not profitable and therefore a big scam, or a modern religion if you will, with all of its guilt, shame and asking for money, let me state an opinion that might not be popular here: Maybe, just maybe, the subsidies was too low? I know what you think but let me play an evil's advocate for a second. How much the fresh air is worth to you? To your children? To your children's children? To your children's children's grandchildren? Well, you get the idea. And what about fresh water? What about cold weather? I am not saying that all of those things should be worth more than 500 billion to everyone but I suggest that we have to account for them in the business plans of companies developing green technology. We have to ask ourselves: Why do we develop green technology? How much money are we willing to waste? What sacrifices are we willing to make? What do we expect to get in return? Those are the most important questions that we should at least try to answer.
Before anyone jumps on the band wagon and says that we all have perfectly usable user space desktop apps for 28 years in the UNIX world, let me say that it is actually very important that now even Microsoft starts to understand that modularity is the way to go while designing complex systems. Moving various operating system components to the user space is just a logical conclusion of the research done during the last four decades. Look at the direction of modern OSii development, from MINIX to GNU. Started by GNOSIS, KeyKOS, EROS and Coyotos this trend seems to suggest that it is much more natural and reliable to design a secure capability-based system when all of the services are separated from each other. Now when even Microsoft is going in that direction - and it is not a trivial change for them, trust me - we can expect Apple and other OS vendors to follow which is a Good Thing. After all, even if people like you and me are using secure operating systems we still don't want to get spammed and dossed by all of the legacy machines out there. It turns out that the rumors that Microsoft is starting to take the latest research in operating systems seriously turned out to be true. This is good news for everyone.
"Smartphone vendors seem to have gotten the message: users want to control the software on their phones. It is a shame that Palm/HP, who were one of the only vendors open from the start, more or less lost the game."
If users really wanted to control the software on their phones then Palm/HP, who were one of the only vendors open from the start, wouldn't have more or less lost the game, now would it? If the control was what users wanted, would they buy devices with no keyboards on which they can't even run their own software if it doesn't get a blessing from The Man? The sad truth is that users don't give a damn about freedom. We here do, but they don't. They just want to have a cooler version of TV which they can take with them and impress their friends with all of the apps they have. This is sad but true.
2. Google buys Motorola
to use its patent portfolio defensively to protect themselves against such companies like Apple.
3. Apple attacks Motorola who used to be so great in the past (Apple would never use the inferiour intel CPUs, right?) and now it is Motorola that is being a problem with their patents?! Make up your mind, Apple. Make up your mind.
Every oppressive regime, from Nazi Germany to China, needs unethical companies whose management values money more than human freedom to maintain their power. The only reasonable thing that we as a society are morally obligated to do now is to publish all of the names of those companies for everyone to see, remember and boycott. If you are a consumer, don't buy their products. If you are a business owner, don't cooperate with them. If you are their worker, quit your job. If you are a stock broker, advise everyone to sell their stock. We owe that to people who were and still are being oppressed using tools provided by those companies. The only message that those bastards will understand are lost profits. The boycott is the least that we can do.
I am not surprised at all that someone has finally attacked them. This is not just an ordinary organization destroying documents, leaking their own sources or suing others for doing what they themselves want us to believe is our duty, ie. leaking confidential documents. This is much more. This is ignoring the fact that people are literally risking their lives because they believed WikiLeaks. I am surprised that it was only a DDoS attack and not a more serious form of revenge. This is what you get for totally disrespecting the lives and risks of the people thanks to whom you are now rich and famous. This is just Karma coming back to you. Not surprising at all.
The first non-bird species of reptile? I've heard that it is also the first non-mammal species of reptile to have its genome sequenced. Seriously though, the Slashdot summary may sound stupid (shocking, I know) but the story is actually quite interesting. Of course this is not something to read about in the International Business Times! There is a much better article in Scientific American: Lizard Genome Unveiled: First non-avian reptile sequence helps explain vertebrate evolution by Lee Sweetlove. Highly recommended reading. I also recommend this article on PhysOrg: First lizard genome sequenced by Haley Bridger. Ths story is particularly remarkable that when we have successfully sequenced the genomes of the entire line of the fish - reptile - bird - mammal evolution then we will finally be able to prove the theory even beyond any reasonable doubt of intelligent designers. Hopefully this breakthrough will start an interesting discussion in the world of science about the exact details of the natural selection in general and the speciation in particular.
"[I]t is unlikely to have affected the source code repositories, due to the nature of git" [emphasis added]
Yeah, because no one has ever downloaded the kernel any other way than by making a local fork of the git repository. No one has ever used the http, ftp and rsync links on the kernel.org website, or clicked the "Latest Stable Kernel" icon on that very website, right? Also remember that the mirrors don't mirror the git repositories but the http/ftp archives from kernel.org servers, the very same servers that has been compromised. The kernel.org home page encourages visitors to use those mirrors so it is not unreasonable to assume that some people do in fact use them. How many of them could have downloaded a compromised kernel? How many of them could be using it as we speak?
Seriously people, this is big. I really mean totally freaking big. Thanks to the open source nature of the kernel it is trivial to add a rootkit and make a new tarball. If the attackers were worth their salt then they should do exactly that.
All of the news about the SSL security flaws are starting to get boring. We had a related scandal just yesterday. The problem with SSL (or TLS, actually) is that it uses X.509 with all of its problems, like the mixed scope of certification authorities. It's like using global variables in your program - it is never a good idea. I can only agree with Bruce Schneier, Dan Kaminsky and virtually all of the competent security experts that we have to completely abandon the inherently flawed security model of X.509 certificates and finally fully embrace the DNSSEC as specified by the IETF. It is both stupid and irresponsible to have a trust system used to verify domain names in 2011 that is completely DNS-agnostic - and in fact designed in the 1980s when people were still manually sending the etc/hosts files around! There could be a lot of better solutions than the good old X.509 but in reality the only reasonable direction that we can choose today is to use the Domain Name System Security Extensions. Use 8.8.8.8 and 8.8.4.4 exclusively as your recursive resolvers. Configure your servers and clients. Define and use the RRSIG, DNSKEY, DS, NSEC, NSEC3 and NSEC3PARAM records in all of your zones. Use and verify them on every resolution. Educate people to do the same. This problem will not solve itself. We have to start acting.
Do you really need to know what it looks like? I'm sure it has rectangular design with rounded corners, I mean Apple has invented rounded rectangles so I'm sure they wouldn't waste their greatest contribution to the world of computing. Seriously, this whole secrecy reminds me about Harry Potter. No one would read it if it wasn't the greatest secret on Earth. People, it's just a freaking phone! Who cares if it was lost or not, how it looks like or what OS version is it running. It could run Window$ Mobile for what it's worth and people would still line up to buy them because it's Apple. There, I said it. What I am more concerned about is not the OS version, the design or whether it finally has a real keyboard or not, but more important issues that have real impact on Web developers. Does it finally understand Mobile Web sites? Does it render XHTML Mobile Profile? Or even WAP for god's sake? ActionScript anyone? What about MMS? Let's face it - no matter how badly does it do all of those things that you expect from a $29 Nokia, people will still buy them and love them and the Mobile Web developers will have to live with all of their limitations. XHTML MP, cHTML, WML, AS, MMS, SMS - the level of support of those technologies that in the pre-iOS era we used to take for granted is what we should be interested about, not the shape or color of the new iPhone.
The only thing I find surprising is that stories like this are not more common. Various government agencies all over the world have been using fake certificates literally for years. Those are usually targeted at specific individuals being under surveillance so those are one-time stunts, limited in time and in network visibility, but all of those certificates in order to be useful have to be issued by certification authorities that are in the trust chain of the popular web browsers (Firefox, Chrome, Explorer, Safari, Opera). The problem with SSL/TLS certificates is that any certification authority from any country can issue a certificate for any domain, and they do occasionally. Most of those certificates are used only few times so they don't get any attention but sometimes they do. The trust model in SSL/TLS is fundamentally flawed and I agree with Dan Kaminsky and Bruce Schneier that we have to completely abandon it in favour of a trust model based on a secure DNS system, where there is only one authoritative source of cryptographic certificate for any given domain, instead of thousands like we have today. I have been telling this for years and I can only hope that people will eventually wake up and listen after stories like this one.
That tablet PC fever is already starting to cool down because, let's face it, the tablet PC is actually a pretty dumb idea. How can we improve the friendliness of computers? I know! Let's take away the keyboard! What next? Take away the screen? That would look cool! I mean, seriously, once you have impressed all of your friends with your new trendy gadget, you have to go back to writing emails, articles, software, books, and good luck with that if you don't even have a keyboard. I have said it many times and let me say it once more: There is no "tablet fever". There never was. There is only "apple fever" and it is not going to cool down any time soon. Hardware vendors were trying to sell tablet PCs literally for decades but there never was any demand, partly because the whole idea is just a notebook without a keyboard. It looks cool but that's it. Using a phone without physical keyboard is hard enough, why anyone would want a computer that is equally hard to use? The only reason people are buying tablet PCs today is either because it's apple or it's like apple so having one somehow makes you cool and that is much more impotant than being productive. Sad but true.
I happen to have been following the work of Dina Katabi et al. for quite some time now and I have to admit that it is a very poor summary even for Slashdot. I can assure you that you can understand much more by skipping the summary, skipping the Original Source link and just reading the paper in question. It is a truly revolutionary idea that will soon change the way we perceive the risks in wireless communication.
How in the world do you have this much phone sex, period, but especially at work, and not have anyone notice?
And how in the world do you have (sic) twice as much blog reading or solitire playing time? Don't ask me but somehow the usual office drone manages to achieve that. The problem here is not stealing money from the customers or even the immoral consequences of having this so called phone sex (which should better be called phone masturbation as I'm sure anyone here knows that sex involves a direct contact of exactly two people, not one). The problem is more subtle, yet much more important. It is doing something that one shouldn't be doing during the work time - be it sending sms text messages, smoking cigarettes, talking, playing online poker, changing the screen saver's wallpaper or flirting with a slutty assistant who has no self respect. And as rewarding as exposing this pervert from the story and his immoral behaviour may be, we should ask ourselves how can we force people to work instead of wasting time that we pay for - by taxes, phone bills, buying gasoline etc. Is there any way the average Joe can be forced to understand that he should be doing what we pay him to do and that doing anything else is basically theft from the ethical point of view? This is the question that we need to address in this age where it isn't always obvious that someone is wasting his time. The times are changing and so should our understanding of moral obligations to paying customers.
"and because their site exists for the distribution of copyrighted material the staff do not want to have their personal information in the hands of a CA"
So it exists for the distribution of copyrighted material, right? Just like, say, Amazon? Or like SourceForge? So what's the problem of the CA knowing their personal information? After all, the domain registrar already knows the correct data, right?
Or are you saying that they exist for the distribution of copyrighted material illegally, in which case we all couldn't really care less what their problems are, and you should report them to the appropriate authorities instead of helping them break the law?
Now, back to your main question:
"When is it acceptable to encourage users to accept a self-signed SSL cert?"
The answer is: Never.
What is the point of being sure that no one can intercept your communication all the way from your browser to the server if you don't know who you are talking to in the first place?
If someone knocked to your door and asked for your money would you give it to him because he has a bulletproof truck so the money will be safe all the way to whatever it is going to? Or would you trust the guy in the truck because he showed you a self-signed document saying: "I am authorised to do what I'm doing. Signed: me." Of course not!
Self-signed certificates are pointless, because you are confident than no one is listening but you have no idea who are you talking to. It means the possibility of a man-in-the middle attack and many more problems that should be obvious to any self-respecting, computer-literate, intelligent person.
But what is even more important is the problem of getting people used to trusting incorrect, i.e. "self-signed" certificates. When they later are victims of phishing attacks everyone on Slashdot is saying to blame the victims because they have entered the fake bank website with an incorrect SSL certificate, while at the same time forcing equally incorrect certificates down their throats and saying that it is ok to trust it, because it is "self-signed" (which means that it is signed by itself, for those not familiar with the SSL lingo).
And these are the most important problems caused by self-signed certificates. False sense of security, and getting used to the browser complaining about incorrect certificates and ignoring it later.
The radio frequency identification, or RFID, is an inherently flawed idea. It is a technological solution to a social problem that it created. It is a threat to our security, our privacy, our freedom, and now also our health! And this is not a just conspiracy theory. Some of the most respectable members of our society are protesting against RFID technology, including Bruce Schneier and even Richard Stallman. My only question is, how much more insult to our intelligence can we take as a society before we start actively protesting? Our freedom, our privacy, our health and our dignity is being taken from us and all we can do is complain on the Internet? Where are the protesting groups? Where are the outraged people desperate to change the situation? Where are the angry mobs? What else are we going to let them take away from us before we stop talking and start acting?
Don't get overexcited just yet. Let me quote some of the most important parts of the article that were completely overlooked in the summary for some reason:
"These results are from opening Memory Watcher and then using the browser between 9,000 and 11,000 seconds (close to 3 hours). Each browser is tested in a separate session, and there are brief periods of inactivity throughout the time period. [...] The above profiles are not a direct comparison in any way, but they offer a visualization of trending in the memory behavior of the layout engines and interfaces. [...]These aren't stress tests, and I probably never went over 4 windows in each browser, with at most 3 tabs in each window. [...] An automation script will never give the same insight into performance over time as will this sort of profile." [emphasis added]
In other words, it is evident that there was no guarantee whatsoever that every browser would display exactly the same sequence of web pages. It is easy to jump to conclusions that if Firefox has used the least memory then it must "[have] a surprising advantage over the other browsers." But is it a logical course of reasoning? Or only a post hoc ergo propter hoc fallacy combined with wishful thinking? The truth is that the amount of memory used during an hour of downloading web pages is strongly correlated with the speed of downloading and displaying said web pages. Is it the case that Firefox couldn't download, format and display pages as quickly as Internet Explorer because of the native Windows internal API hooks that help Explorer work faster than any independent browser could possible aspire to? That is quite possible. Unfortunately the results of that experiment are inconclusive and the methodology was unreliable.
Well, it's hardly surprising. According to government records, the only names not yet trademarked are "Popplers" and "Zittzers". I remember the internal confusion at Google back in the day when there were plans to set up a worldwide network of Google hot spots, or Gspots, only to find out that it is nearly impossible to find a name that is both pleasant to the ear, even remotely meaningful and not already taken. Enyone remembers the scandal three years ago? This is another example. And what about our beloved Firefox browser? It had to change its name not once, not twice, but trice to finally get rid of the trademark problems and still any literate person will point out to the Craig Thomas' novel, not to mention the Firefox bicycle company, or the Malaguti Firefox scooter, all of which being much older than any web browser on Earth. But does it mean that people can't use Google to check for any prior art of the name they have chosen for their projects? No. It just means that all of that trademark hysteria of the last one and a half decades, this "get outta my intellectual property!" attitude, it all hurts progress. Because, at the end of the day, isn't progress what it is all about? Shouldn't we just shut up, roll up our sleeves and start making our global village a better place instead of worrying about not hurting someones feelings or not breaking some law? I am really sick of every good initiative being sabotaged by someone who "owns" some "intellectual property". Google is probably one of ten, maybe twenty companies that are more concerned about morals and ethics than profits, yet some Germans have a problem with one of its most popular names and when do they sue? When the name is already known worldwide! This is just too much. Please let me quote a great thinker, George Bernard Shaw: "If you have an apple and I have an apple and we exchange these apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas."
I wholeheartedly agree with Brendan that we should at any cost stop JavaScript in particulat and Ecmascript in general from being as painful as Java in any way possible. However what we should do is not only improving all of the ECMA-262 derivatives but to make a systematical progress towards better flexibility and interoperability of various scripting approaches in the future. Take for example the wonderful project by Mehmet Yavuz Selim Soyturk called PJS which is an important step in the direction to allow the Parrot virtual machine, designed to run Perl, Tcl, Javascript, Ruby, Lua, Scheme, Befunge, Lisp, PHP, Python, Perl 6, APL, Java,.NET, et al., to run on JavaScript, so all of those languages could be used together to enhance your browsing experience on the Web. For this to be even remotely plausible the JavaScript must be as flexible and as fast as possible because it would basically mean running high-level language code compiled to the Parrot intermediate representation (PIR, or IMC), that converted to the Parrot assembly language, assembled, linked, converted to Parrot bytecode and then execuded on the Parrot virtual machine or PVM which would itself be a large JavaScript interpreted script running in a Web browser, running in the operating system... You get the picture. A logical step forward would be to include PVM in all of the major browsers to run the Parrot bytecode natively and efficiently in the browser. There are already plans to include PVM interpreter in Firefox which means it will be available as a viable target for scriping dynamic html pages for all of its derivatives like Camino, Galeon and Konqueror. Hopefully the commercial browsers would follow (the Artistic license is not anti-commercial like GPL so there should be no legal problems with the integration). I really look forward to the future of perfect interoperability when every single Web page could potentially run scripts written in literally dozens of programming languages simultaneously. One day we will experience that synergy thanks to people like Brendan Eich,Mehmet Yavuz Selim Soyturk, Larry Wall, et al. if they only agree to work together on one common solution to the big mess of Web scripts that we have today. Let's all hope they will.
"Since the GPL in both BusyBox and the Linux kernel require that anyone using and distributing the binaries of this software make source available to everyone..."...upon request. Read the GPL.
Yes, Internet monitoring is a necessity.[1] No, injecting anything into someone who doesn't wish to have his stuff interfered with is not only not a necessity but quite frankly an outrage. Remember people, just because one thing is a necessity doesn't mean that something more must also be necessary. This is a slippery slope. To be honest I was expecting more logical integrity from Dave Caputo whom I've always respected and liked personally but who has apparently started to be blinded by his corporate agenda. What a shame, Dave. What a shame.
I have predicted it on the day when Gmail introduced Firefox to the Google Pack, only to get laughed at by the Slashdot crowd. In this case it is sad to have been right but let's face it - we had it coming. And for those who are posting messages about how Micro$oft can't make a correctwebsite - do you think that they have missed the campaign? I wish. The truth is that they are some of the most knowledgeable folks out there, even if on the evil side of our battle. Sadly the only solution is to do what we have done in the same situation with Open Office having problems with Office generating incorrect documents. We had to cripple Open Office internal file importation algorithms to the point of having tons of slow spaghetti code (take a look at the CVS sometimes) but what was the other alternative? We could have only excluded ourselves from the main stream of de facto standards. Now the Firefox team stands before the same dilemma. Let's just hope that they will solve this problem wisely and elegantly. They need our support now, for they will not get it from Redmond.
"... priced at or below the cover price of the book..." [emphasis added]
Well, that's the problem - "at or below" is not enough. If I am to get only the raw information without the physical thing, without the possibility to go to a park with my book (and not looking like a dork with a laptop, or worse yet - a Kindle), without being able to decorate my room with a book, et cetera - it has to cost at least 10 times less (which it doesn't) or be 10 times better (which it isn't). This is the same reason why the idea of selling mp3s was such a failure. In other words, great idea but it is sadly going to fail because it doesn't follow the "ten times" rule. Probably once again the marketing department wasn't listening to the engineers. What a shame.
That scary "lockdown" that you are alarming about is not what those "entertainment and broadcast lobbies" desire for the Internet. This is what they desire for their TV on the Internet, for crying out loud. This is a subtle yet important difference because contrary to what you are implying here the Internet as we know it is not going to change. So don't worry, you'll still be able to waste time on Slashdot all day long. That having been said, I personally consider the television itself to be an utter waste of time (or a "lockdown" if you will) but do I post messages on Slashdot about it? No. I just don't watch it. Viola. Problem solved. You should try it sometimes and you'll see that there is no need to scare people that they will be somehow "locked down" by having a choice to watch the TV on some additional medium.
Slashdot Mirror
We all remember what Steve Jobs was saying that Apple had "no plans at the current time to make a tablet." We are now 9 years in the future so it is hardly "the current time" that he was referring to. I know it is fashionable here on Slashdot to make fun of Apple but this time there is nothing to laugh at. He was talking about how tablets suck, not that people won't by them, and quite frankly I can only agree with him.
Before anyone jumps to the conclusion that green technology is not profitable and therefore a big scam, or a modern religion if you will, with all of its guilt, shame and asking for money, let me state an opinion that might not be popular here: Maybe, just maybe, the subsidies was too low? I know what you think but let me play an evil's advocate for a second. How much the fresh air is worth to you? To your children? To your children's children? To your children's children's grandchildren? Well, you get the idea. And what about fresh water? What about cold weather? I am not saying that all of those things should be worth more than 500 billion to everyone but I suggest that we have to account for them in the business plans of companies developing green technology. We have to ask ourselves: Why do we develop green technology? How much money are we willing to waste? What sacrifices are we willing to make? What do we expect to get in return? Those are the most important questions that we should at least try to answer.
Before anyone jumps on the band wagon and says that we all have perfectly usable user space desktop apps for 28 years in the UNIX world, let me say that it is actually very important that now even Microsoft starts to understand that modularity is the way to go while designing complex systems. Moving various operating system components to the user space is just a logical conclusion of the research done during the last four decades. Look at the direction of modern OSii development, from MINIX to GNU. Started by GNOSIS, KeyKOS, EROS and Coyotos this trend seems to suggest that it is much more natural and reliable to design a secure capability-based system when all of the services are separated from each other. Now when even Microsoft is going in that direction - and it is not a trivial change for them, trust me - we can expect Apple and other OS vendors to follow which is a Good Thing. After all, even if people like you and me are using secure operating systems we still don't want to get spammed and dossed by all of the legacy machines out there. It turns out that the rumors that Microsoft is starting to take the latest research in operating systems seriously turned out to be true. This is good news for everyone.
"Smartphone vendors seem to have gotten the message: users want to control the software on their phones. It is a shame that Palm/HP, who were one of the only vendors open from the start, more or less lost the game."
If users really wanted to control the software on their phones then Palm/HP, who were one of the only vendors open from the start, wouldn't have more or less lost the game, now would it? If the control was what users wanted, would they buy devices with no keyboards on which they can't even run their own software if it doesn't get a blessing from The Man? The sad truth is that users don't give a damn about freedom. We here do, but they don't. They just want to have a cooler version of TV which they can take with them and impress their friends with all of the apps they have. This is sad but true.
Every oppressive regime, from Nazi Germany to China, needs unethical companies whose management values money more than human freedom to maintain their power. The only reasonable thing that we as a society are morally obligated to do now is to publish all of the names of those companies for everyone to see, remember and boycott. If you are a consumer, don't buy their products. If you are a business owner, don't cooperate with them. If you are their worker, quit your job. If you are a stock broker, advise everyone to sell their stock. We owe that to people who were and still are being oppressed using tools provided by those companies. The only message that those bastards will understand are lost profits. The boycott is the least that we can do.
I am not surprised at all that someone has finally attacked them. This is not just an ordinary organization destroying documents, leaking their own sources or suing others for doing what they themselves want us to believe is our duty, ie. leaking confidential documents. This is much more. This is ignoring the fact that people are literally risking their lives because they believed WikiLeaks. I am surprised that it was only a DDoS attack and not a more serious form of revenge. This is what you get for totally disrespecting the lives and risks of the people thanks to whom you are now rich and famous. This is just Karma coming back to you. Not surprising at all.
The first non-bird species of reptile? I've heard that it is also the first non-mammal species of reptile to have its genome sequenced. Seriously though, the Slashdot summary may sound stupid (shocking, I know) but the story is actually quite interesting. Of course this is not something to read about in the International Business Times! There is a much better article in Scientific American: Lizard Genome Unveiled: First non-avian reptile sequence helps explain vertebrate evolution by Lee Sweetlove. Highly recommended reading. I also recommend this article on PhysOrg: First lizard genome sequenced by Haley Bridger. Ths story is particularly remarkable that when we have successfully sequenced the genomes of the entire line of the fish - reptile - bird - mammal evolution then we will finally be able to prove the theory even beyond any reasonable doubt of intelligent designers. Hopefully this breakthrough will start an interesting discussion in the world of science about the exact details of the natural selection in general and the speciation in particular.
"[I]t is unlikely to have affected the source code repositories, due to the nature of git" [emphasis added] Yeah, because no one has ever downloaded the kernel any other way than by making a local fork of the git repository. No one has ever used the http, ftp and rsync links on the kernel.org website, or clicked the "Latest Stable Kernel" icon on that very website, right? Also remember that the mirrors don't mirror the git repositories but the http/ftp archives from kernel.org servers, the very same servers that has been compromised. The kernel.org home page encourages visitors to use those mirrors so it is not unreasonable to assume that some people do in fact use them. How many of them could have downloaded a compromised kernel? How many of them could be using it as we speak? Seriously people, this is big. I really mean totally freaking big. Thanks to the open source nature of the kernel it is trivial to add a rootkit and make a new tarball. If the attackers were worth their salt then they should do exactly that.
All of the news about the SSL security flaws are starting to get boring. We had a related scandal just yesterday. The problem with SSL (or TLS, actually) is that it uses X.509 with all of its problems, like the mixed scope of certification authorities. It's like using global variables in your program - it is never a good idea. I can only agree with Bruce Schneier, Dan Kaminsky and virtually all of the competent security experts that we have to completely abandon the inherently flawed security model of X.509 certificates and finally fully embrace the DNSSEC as specified by the IETF. It is both stupid and irresponsible to have a trust system used to verify domain names in 2011 that is completely DNS-agnostic - and in fact designed in the 1980s when people were still manually sending the etc/hosts files around! There could be a lot of better solutions than the good old X.509 but in reality the only reasonable direction that we can choose today is to use the Domain Name System Security Extensions. Use 8.8.8.8 and 8.8.4.4 exclusively as your recursive resolvers. Configure your servers and clients. Define and use the RRSIG, DNSKEY, DS, NSEC, NSEC3 and NSEC3PARAM records in all of your zones. Use and verify them on every resolution. Educate people to do the same. This problem will not solve itself. We have to start acting.
Do you really need to know what it looks like? I'm sure it has rectangular design with rounded corners, I mean Apple has invented rounded rectangles so I'm sure they wouldn't waste their greatest contribution to the world of computing. Seriously, this whole secrecy reminds me about Harry Potter. No one would read it if it wasn't the greatest secret on Earth. People, it's just a freaking phone! Who cares if it was lost or not, how it looks like or what OS version is it running. It could run Window$ Mobile for what it's worth and people would still line up to buy them because it's Apple. There, I said it. What I am more concerned about is not the OS version, the design or whether it finally has a real keyboard or not, but more important issues that have real impact on Web developers. Does it finally understand Mobile Web sites? Does it render XHTML Mobile Profile? Or even WAP for god's sake? ActionScript anyone? What about MMS? Let's face it - no matter how badly does it do all of those things that you expect from a $29 Nokia, people will still buy them and love them and the Mobile Web developers will have to live with all of their limitations. XHTML MP, cHTML, WML, AS, MMS, SMS - the level of support of those technologies that in the pre-iOS era we used to take for granted is what we should be interested about, not the shape or color of the new iPhone.
The only thing I find surprising is that stories like this are not more common. Various government agencies all over the world have been using fake certificates literally for years. Those are usually targeted at specific individuals being under surveillance so those are one-time stunts, limited in time and in network visibility, but all of those certificates in order to be useful have to be issued by certification authorities that are in the trust chain of the popular web browsers (Firefox, Chrome, Explorer, Safari, Opera). The problem with SSL/TLS certificates is that any certification authority from any country can issue a certificate for any domain, and they do occasionally. Most of those certificates are used only few times so they don't get any attention but sometimes they do. The trust model in SSL/TLS is fundamentally flawed and I agree with Dan Kaminsky and Bruce Schneier that we have to completely abandon it in favour of a trust model based on a secure DNS system, where there is only one authoritative source of cryptographic certificate for any given domain, instead of thousands like we have today. I have been telling this for years and I can only hope that people will eventually wake up and listen after stories like this one.
That tablet PC fever is already starting to cool down because, let's face it, the tablet PC is actually a pretty dumb idea. How can we improve the friendliness of computers? I know! Let's take away the keyboard! What next? Take away the screen? That would look cool! I mean, seriously, once you have impressed all of your friends with your new trendy gadget, you have to go back to writing emails, articles, software, books, and good luck with that if you don't even have a keyboard. I have said it many times and let me say it once more: There is no "tablet fever". There never was. There is only "apple fever" and it is not going to cool down any time soon. Hardware vendors were trying to sell tablet PCs literally for decades but there never was any demand, partly because the whole idea is just a notebook without a keyboard. It looks cool but that's it. Using a phone without physical keyboard is hard enough, why anyone would want a computer that is equally hard to use? The only reason people are buying tablet PCs today is either because it's apple or it's like apple so having one somehow makes you cool and that is much more impotant than being productive. Sad but true.
I happen to have been following the work of Dina Katabi et al. for quite some time now and I have to admit that it is a very poor summary even for Slashdot. I can assure you that you can understand much more by skipping the summary, skipping the Original Source link and just reading the paper in question. It is a truly revolutionary idea that will soon change the way we perceive the risks in wireless communication.
How in the world do you have this much phone sex, period, but especially at work, and not have anyone notice?
And how in the world do you have (sic) twice as much blog reading or solitire playing time? Don't ask me but somehow the usual office drone manages to achieve that. The problem here is not stealing money from the customers or even the immoral consequences of having this so called phone sex (which should better be called phone masturbation as I'm sure anyone here knows that sex involves a direct contact of exactly two people, not one). The problem is more subtle, yet much more important. It is doing something that one shouldn't be doing during the work time - be it sending sms text messages, smoking cigarettes, talking, playing online poker, changing the screen saver's wallpaper or flirting with a slutty assistant who has no self respect. And as rewarding as exposing this pervert from the story and his immoral behaviour may be, we should ask ourselves how can we force people to work instead of wasting time that we pay for - by taxes, phone bills, buying gasoline etc. Is there any way the average Joe can be forced to understand that he should be doing what we pay him to do and that doing anything else is basically theft from the ethical point of view? This is the question that we need to address in this age where it isn't always obvious that someone is wasting his time. The times are changing and so should our understanding of moral obligations to paying customers.
"and because their site exists for the distribution of copyrighted material the staff do not want to have their personal information in the hands of a CA"
So it exists for the distribution of copyrighted material, right? Just like, say, Amazon? Or like SourceForge? So what's the problem of the CA knowing their personal information? After all, the domain registrar already knows the correct data, right?
Or are you saying that they exist for the distribution of copyrighted material illegally, in which case we all couldn't really care less what their problems are, and you should report them to the appropriate authorities instead of helping them break the law?
Now, back to your main question:
"When is it acceptable to encourage users to accept a self-signed SSL cert?"
The answer is: Never.
What is the point of being sure that no one can intercept your communication all the way from your browser to the server if you don't know who you are talking to in the first place?
If someone knocked to your door and asked for your money would you give it to him because he has a bulletproof truck so the money will be safe all the way to whatever it is going to? Or would you trust the guy in the truck because he showed you a self-signed document saying: "I am authorised to do what I'm doing. Signed: me." Of course not!
Self-signed certificates are pointless, because you are confident than no one is listening but you have no idea who are you talking to. It means the possibility of a man-in-the middle attack and many more problems that should be obvious to any self-respecting, computer-literate, intelligent person.
But what is even more important is the problem of getting people used to trusting incorrect, i.e. "self-signed" certificates. When they later are victims of phishing attacks everyone on Slashdot is saying to blame the victims because they have entered the fake bank website with an incorrect SSL certificate, while at the same time forcing equally incorrect certificates down their throats and saying that it is ok to trust it, because it is "self-signed" (which means that it is signed by itself, for those not familiar with the SSL lingo).
And these are the most important problems caused by self-signed certificates. False sense of security, and getting used to the browser complaining about incorrect certificates and ignoring it later.
The radio frequency identification, or RFID, is an inherently flawed idea. It is a technological solution to a social problem that it created. It is a threat to our security, our privacy, our freedom, and now also our health! And this is not a just conspiracy theory. Some of the most respectable members of our society are protesting against RFID technology, including Bruce Schneier and even Richard Stallman. My only question is, how much more insult to our intelligence can we take as a society before we start actively protesting? Our freedom, our privacy, our health and our dignity is being taken from us and all we can do is complain on the Internet? Where are the protesting groups? Where are the outraged people desperate to change the situation? Where are the angry mobs? What else are we going to let them take away from us before we stop talking and start acting?
Don't get overexcited just yet. Let me quote some of the most important parts of the article that were completely overlooked in the summary for some reason:
"These results are from opening Memory Watcher and then using the browser between 9,000 and 11,000 seconds (close to 3 hours). Each browser is tested in a separate session, and there are brief periods of inactivity throughout the time period. [...] The above profiles are not a direct comparison in any way, but they offer a visualization of trending in the memory behavior of the layout engines and interfaces. [...]These aren't stress tests, and I probably never went over 4 windows in each browser, with at most 3 tabs in each window. [...] An automation script will never give the same insight into performance over time as will this sort of profile." [emphasis added]
In other words, it is evident that there was no guarantee whatsoever that every browser would display exactly the same sequence of web pages. It is easy to jump to conclusions that if Firefox has used the least memory then it must "[have] a surprising advantage over the other browsers." But is it a logical course of reasoning? Or only a post hoc ergo propter hoc fallacy combined with wishful thinking? The truth is that the amount of memory used during an hour of downloading web pages is strongly correlated with the speed of downloading and displaying said web pages. Is it the case that Firefox couldn't download, format and display pages as quickly as Internet Explorer because of the native Windows internal API hooks that help Explorer work faster than any independent browser could possible aspire to? That is quite possible. Unfortunately the results of that experiment are inconclusive and the methodology was unreliable.
Well, it's hardly surprising. According to government records, the only names not yet trademarked are "Popplers" and "Zittzers". I remember the internal confusion at Google back in the day when there were plans to set up a worldwide network of Google hot spots, or Gspots, only to find out that it is nearly impossible to find a name that is both pleasant to the ear, even remotely meaningful and not already taken. Enyone remembers the scandal three years ago? This is another example. And what about our beloved Firefox browser? It had to change its name not once, not twice, but trice to finally get rid of the trademark problems and still any literate person will point out to the Craig Thomas' novel, not to mention the Firefox bicycle company, or the Malaguti Firefox scooter, all of which being much older than any web browser on Earth. But does it mean that people can't use Google to check for any prior art of the name they have chosen for their projects? No. It just means that all of that trademark hysteria of the last one and a half decades, this "get outta my intellectual property!" attitude, it all hurts progress. Because, at the end of the day, isn't progress what it is all about? Shouldn't we just shut up, roll up our sleeves and start making our global village a better place instead of worrying about not hurting someones feelings or not breaking some law? I am really sick of every good initiative being sabotaged by someone who "owns" some "intellectual property". Google is probably one of ten, maybe twenty companies that are more concerned about morals and ethics than profits, yet some Germans have a problem with one of its most popular names and when do they sue? When the name is already known worldwide! This is just too much. Please let me quote a great thinker, George Bernard Shaw: "If you have an apple and I have an apple and we exchange these apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas."
I wholeheartedly agree with Brendan that we should at any cost stop JavaScript in particulat and Ecmascript in general from being as painful as Java in any way possible. However what we should do is not only improving all of the ECMA-262 derivatives but to make a systematical progress towards better flexibility and interoperability of various scripting approaches in the future. Take for example the wonderful project by Mehmet Yavuz Selim Soyturk called PJS which is an important step in the direction to allow the Parrot virtual machine, designed to run Perl, Tcl, Javascript, Ruby, Lua, Scheme, Befunge, Lisp, PHP, Python, Perl 6, APL, Java, .NET, et al., to run on JavaScript, so all of those languages could be used together to enhance your browsing experience on the Web. For this to be even remotely plausible the JavaScript must be as flexible and as fast as possible because it would basically mean running high-level language code compiled to the Parrot intermediate representation (PIR, or IMC), that converted to the Parrot assembly language, assembled, linked, converted to Parrot bytecode and then execuded on the Parrot virtual machine or PVM which would itself be a large JavaScript interpreted script running in a Web browser, running in the operating system... You get the picture. A logical step forward would be to include PVM in all of the major browsers to run the Parrot bytecode natively and efficiently in the browser. There are already plans to include PVM interpreter in Firefox which means it will be available as a viable target for scriping dynamic html pages for all of its derivatives like Camino, Galeon and Konqueror. Hopefully the commercial browsers would follow (the Artistic license is not anti-commercial like GPL so there should be no legal problems with the integration). I really look forward to the future of perfect interoperability when every single Web page could potentially run scripts written in literally dozens of programming languages simultaneously. One day we will experience that synergy thanks to people like Brendan Eich,Mehmet Yavuz Selim Soyturk, Larry Wall, et al. if they only agree to work together on one common solution to the big mess of Web scripts that we have today. Let's all hope they will.
"Since the GPL in both BusyBox and the Linux kernel require that anyone using and distributing the binaries of this software make source available to everyone ..." ...upon request. Read the GPL.
Yes, Internet monitoring is a necessity.[1] No, injecting anything into someone who doesn't wish to have his stuff interfered with is not only not a necessity but quite frankly an outrage. Remember people, just because one thing is a necessity doesn't mean that something more must also be necessary. This is a slippery slope. To be honest I was expecting more logical integrity from Dave Caputo whom I've always respected and liked personally but who has apparently started to be blinded by his corporate agenda. What a shame, Dave. What a shame.
I have predicted it on the day when Gmail introduced Firefox to the Google Pack, only to get laughed at by the Slashdot crowd. In this case it is sad to have been right but let's face it - we had it coming. And for those who are posting messages about how Micro$oft can't make a correct website - do you think that they have missed the campaign? I wish. The truth is that they are some of the most knowledgeable folks out there, even if on the evil side of our battle. Sadly the only solution is to do what we have done in the same situation with Open Office having problems with Office generating incorrect documents. We had to cripple Open Office internal file importation algorithms to the point of having tons of slow spaghetti code (take a look at the CVS sometimes) but what was the other alternative? We could have only excluded ourselves from the main stream of de facto standards. Now the Firefox team stands before the same dilemma. Let's just hope that they will solve this problem wisely and elegantly. They need our support now, for they will not get it from Redmond.
"... priced at or below the cover price of the book ..." [emphasis added]
Well, that's the problem - "at or below" is not enough. If I am to get only the raw information without the physical thing, without the possibility to go to a park with my book (and not looking like a dork with a laptop, or worse yet - a Kindle), without being able to decorate my room with a book, et cetera - it has to cost at least 10 times less (which it doesn't) or be 10 times better (which it isn't). This is the same reason why the idea of selling mp3s was such a failure. In other words, great idea but it is sadly going to fail because it doesn't follow the "ten times" rule. Probably once again the marketing department wasn't listening to the engineers. What a shame.
That scary "lockdown" that you are alarming about is not what those "entertainment and broadcast lobbies" desire for the Internet. This is what they desire for their TV on the Internet, for crying out loud. This is a subtle yet important difference because contrary to what you are implying here the Internet as we know it is not going to change. So don't worry, you'll still be able to waste time on Slashdot all day long. That having been said, I personally consider the television itself to be an utter waste of time (or a "lockdown" if you will) but do I post messages on Slashdot about it? No. I just don't watch it. Viola. Problem solved. You should try it sometimes and you'll see that there is no need to scare people that they will be somehow "locked down" by having a choice to watch the TV on some additional medium.