It came as quite a shock when it came to light he'd been charged for merely linking to banned content. It was quite possibly a first.
I'm not sure if he left Thailand because he had disagreements with the Thai government - if memory serves he left as a young teenager. He stayed in the US more than long enough to become a citizen - something like 30 years.
Did a quick scan, one of them is: "Update e-mail address of Jarkko Nikula". Also noted lots of work related to the gma500 driver lately, thanks Alan Cox.
Does this mean the US just has all of it's malware spread evenly between the many major cities?
Yes. The problem with this study is the low accuracy of the geoip data for Asia. Hanoi and Ho Chi Minh are around the middle of these lists but one half of the country appears in the geoip lookup as Hanoi; the other half appears as Ho Chi Minh - I'm currently 450km from HCM but that's where Maxmind says I am. I know from experience there are plenty of spammier locales in China than Beijing - again data is just getting aggregated. So the data in their writeup ('paper.pdf') is kind of lame because they only have top-10 and top-20 lists - 60% of which get populated by Asian cities acting as DHCP servers for their whole region. I suspect that if their lists ran down a bit longer we'd see bunches of US cities - perhaps with Phoenix, Arizona the first.
From TFPDF:
The main problem with using GeoPlugin that it relies on the accuracy of Max-
mind database [12], of which numbers on accuracy are available [13]. Even though the
database is not 100% precise, (Maxmind claims that their “GeoIP databases are 99.8%
accurate on a country level, 90% accurate on a state level and 83% accurate for the US
within a 25 mile radius”), we believe the results obtained would still hold, even though
with some margin for errors.
absolutely. I also agree with the commenter below, get rid of empathy and go back to pidgin, and then we'll be a step closer to ubuntu not being crap.
It might well happen.I think the main driver was the integration with Gnome and Ubuntu deferred to the Gnome guys. With Ubuntu moving away from Gnome lately we could see a reverse.
Evolution has not been 'booted' (word used in TFA), the decision on going ahead with Thunderbird or Evolution will be made before the release of alpha 3 in a few weeks. See the blueprint. I knew there was a reason why I stopped reading Extremetech.
I'm not a new user so my list of quibbles is irrelevant in this discussion. I pointed out two that might apply to the problem statement and I added some factual ballast.
> "Depending on hardware capabilities there are heavyweight (Gnome, KDE) and lightweight (Xfce, LXDE) versions."
The Xfce version has moved to Debian (which you "strongly advise against"). Note that Clem said with the Xfce version he's no longer putting the emphasis on being lightweight (although even a bloated Xfce on top of Debian would be a lot more zippy than Gnome on top of Ubuntu).
Using Wubi or mint4win is not a great idea as mom probably has only one partition - resulting in her not being able to access any of her files from Linux. That's not the best introduction to Linux is it?
One of the real pains about Mint is that the GUI package manager doesn't allow you to change to a mirror located nearer to you (it just changes the Mint repo; not the Ubuntu ones - so the experience of updating or installing new software might proceed at a snail's pace if you're not near the main servers - again not the greatest of intros.
> "Angry users have driven the app's rating down to less than two out of five stars."
Reminds me of of the Noscript - Adblock fiasco. Registered members at addons.mozilla.org all drove Noscript's rating down to one star but then Mozilla decided in their infinite wisdom that they should delete all those votes.
If this campaign continues the same will happen here.
Was thinking exactly the same thing. I just spent all mine (first I got since the 'makeover') on some kdawson-related comments. At least this deserves an 'interesting' right?
Now explain to my grandmother, who just got her first email last week, how and why she needs to do that.
If your grandmother only received her first email last week then she definitely, absolutely, imperatively must stay away from 'that'. I'm amazed this has been moderated insightful. We've gone from 'think of the children' to 'think of the grandmothers' as a shortcut for those two lazy to engage in thoughtful analysis.
Most hotmail users do not know what HTTPS is. This move effetively disables cryptography for 90% of the users.
well, 90% of people on Slashdot don't know what HTTPS is - 90% of the other 10% are probably displaying a rather cock-sure, blissful ignorance. Think about it: a message going from country A to country B, two wifi connections that may or may not be encrypted, two governments that may or may not be intruding, two providers that may be cooperating with the former to varying degrees. If you don't know what https, say away from it. Don't tell anybody they're getting 'cryptography' if you're not able to give them a grounding in all the above. Or else you 'cryptography' will only be good for hiding your stuff from your mum.
And yes, some people who are emailing other people about their revolutionary plans and actions are somebody's grandmother.
Well are they now? When and if grandmothers are getting shot on the streets, DO NOT encourage them to mess around with technology they don't understand, ESP those "who just got her first email last week" (see GP). I'm not taking about messing with the settings - I'm saying just DON'T do it.
Why is summary recommending Yahoo in this instance? Last time I checked (10 mins ago) I couldn't get Yahoo mail to use https on regular pages. It seems Hotmail can still use https in the affected countries - as long as you explicitly type it in the address bar. Or use HTTPS Everywhere. Or choose a different country in your profile. So Hotmail is still better than Yahoo?
As noted below, China is not on the list. I think the summary is misleading. TFA says MS has turned off the 'always-use-HTTPS' option - not the 'HTTPS' option. Otherwise you couldn't get the HTTPS-Everywhere extension to work.
From TFA:
Hotmail users who browse the web with Firefox may force the use of HTTPS by default—while using any Hotmail location setting—by installing the HTTPS Everywhere Firefox plug-in.
I don't know what Microsoft are thinking here but seeing as it's using the country you set in your profile; not any sort of geoip lookup... the remedy is simple: just change the country in your profile.
Actually, the author does address that. They key is that the private key would not change when the certificate changes. Unless the MiM has cracked the old cert (in which case you're screwed no matter what), they couldn't impersonate an update that keeps the same private key.
The two scenarios I'm thinking of when either: 1) a government, or 2) someone controlling you local network, manage to pass you fake certs. I can't say if the private key does or doesn't change in these two scenarios but the problem still remains - I'm being alerted to a certificate being renewed and I'm having to check up. You (or the author) don't address the 'whatcouldpossiblygowrong' or the 'escalation of cludginess' issues.
there is, it's called Certificate Revocation and Online Certificate Status Protocol
As has been discussed further down, those two methods are broken. I want to delete the certificates/authorities *as soon as* I find out they are suspect - not wait for a faulty mechanism to check up on certificates that I *already know* are compromised.
Specifically, someone could send back a 500 error when you try to access those sites. Most of today's browsers, on receiving that 500 error, will choose to continue treating the certificate as legit - but will give you almost zero notification that anything is amiss.
The removal of the 'weaker' certs and authorities needs to be scriptable. Connecting to Mozilla updates is bad at the best of times - much much more so in countries where this incident might be more of an issue.
From TFA:
The Comodo breach will force organizations that might replace one or two certificates in a year to swap out nine certificates in a matter of hours - a painstaking and multi-step process that is often handled manually.
Is there *anything* I can download - just a few Kb in size - to patch up my browser when cert issues arrive, rather than waiting for browsers to hard code the strings in 1-20Mb download?
A great article but the author does himself in with the final paragraph:
A much better solution would be for certificates to only be valid for a few days and to forget about revocation altogether.
As someone who spends a lot of time mixing with the 'enemies of the internet' - incl some dodgy states not listed, like India - I've learned to treat my browser downloading a new certificate as an *exceptional* circumstance - something to be looked into. Certificates should be worth something and they should be worth keeping a while. What's with the arbitrary validity anyway. Let the issuers choose the validity on a per-certificate basis. After a while some researcher is going to suggest that 'a few days' is far too long and expose this proposal for the cludge it is.
Then there's the mechanism for reissuing frequently. Tag with 'whatcouldpossiblygowrong'.
If the above proposal gained traction all those MiM government-level adversaries would be delighted.
Slashdot Mirror
the inability to differentiate between how a word is spoken and how it is spelt ...
You might be in the same club considering you harped on about that and missed:
the kind of accent you might here from upper class
It came as quite a shock when it came to light he'd been charged for merely linking to banned content. It was quite possibly a first.
I'm not sure if he left Thailand because he had disagreements with the Thai government - if memory serves he left as a young teenager. He stayed in the US more than long enough to become a citizen - something like 30 years.
Each FACE is 3x3?
... deserves a mention here: https://thaipoliticalprisoners.wordpress.com/pendingcases/joseph-gordon/ (Yes this is Canada, not Thailand)
Did a quick scan, one of them is: "Update e-mail address of Jarkko Nikula". Also noted lots of work related to the gma500 driver lately, thanks Alan Cox.
Does this mean the US just has all of it's malware spread evenly between the many major cities?
Yes. The problem with this study is the low accuracy of the geoip data for Asia. Hanoi and Ho Chi Minh are around the middle of these lists but one half of the country appears in the geoip lookup as Hanoi; the other half appears as Ho Chi Minh - I'm currently 450km from HCM but that's where Maxmind says I am. I know from experience there are plenty of spammier locales in China than Beijing - again data is just getting aggregated. So the data in their writeup ('paper.pdf') is kind of lame because they only have top-10 and top-20 lists - 60% of which get populated by Asian cities acting as DHCP servers for their whole region. I suspect that if their lists ran down a bit longer we'd see bunches of US cities - perhaps with Phoenix, Arizona the first.
From TFPDF: The main problem with using GeoPlugin that it relies on the accuracy of Max- mind database [12], of which numbers on accuracy are available [13]. Even though the database is not 100% precise, (Maxmind claims that their “GeoIP databases are 99.8% accurate on a country level, 90% accurate on a state level and 83% accurate for the US within a 25 mile radius”), we believe the results obtained would still hold, even though with some margin for errors.
absolutely. I also agree with the commenter below, get rid of empathy and go back to pidgin, and then we'll be a step closer to ubuntu not being crap.
It might well happen.I think the main driver was the integration with Gnome and Ubuntu deferred to the Gnome guys. With Ubuntu moving away from Gnome lately we could see a reverse.
Trouble is, neither Pidgin nor Empathy have progressed very much since Ubuntu put together this comparison:
https://wiki.ubuntu.com/EmpathyVsPidginUsability
Evolution has not been 'booted' (word used in TFA), the decision on going ahead with Thunderbird or Evolution will be made before the release of alpha 3 in a few weeks. See the blueprint. I knew there was a reason why I stopped reading Extremetech.
I'm not a new user so my list of quibbles is irrelevant in this discussion. I pointed out two that might apply to the problem statement and I added some factual ballast.
> "Depending on hardware capabilities there are heavyweight (Gnome, KDE) and lightweight (Xfce, LXDE) versions."
The Xfce version has moved to Debian (which you "strongly advise against"). Note that Clem said with the Xfce version he's no longer putting the emphasis on being lightweight (although even a bloated Xfce on top of Debian would be a lot more zippy than Gnome on top of Ubuntu).
Using Wubi or mint4win is not a great idea as mom probably has only one partition - resulting in her not being able to access any of her files from Linux. That's not the best introduction to Linux is it?
One of the real pains about Mint is that the GUI package manager doesn't allow you to change to a mirror located nearer to you (it just changes the Mint repo; not the Ubuntu ones - so the experience of updating or installing new software might proceed at a snail's pace if you're not near the main servers - again not the greatest of intros.
> "Angry users have driven the app's rating down to less than two out of five stars."
Reminds me of of the Noscript - Adblock fiasco. Registered members at addons.mozilla.org all drove Noscript's rating down to one star but then Mozilla decided in their infinite wisdom that they should delete all those votes. If this campaign continues the same will happen here.
Was thinking exactly the same thing. I just spent all mine (first I got since the 'makeover') on some kdawson-related comments. At least this deserves an 'interesting' right?
Now explain to my grandmother, who just got her first email last week, how and why she needs to do that.
If your grandmother only received her first email last week then she definitely, absolutely, imperatively must stay away from 'that'. I'm amazed this has been moderated insightful. We've gone from 'think of the children' to 'think of the grandmothers' as a shortcut for those two lazy to engage in thoughtful analysis.
Most hotmail users do not know what HTTPS is. This move effetively disables cryptography for 90% of the users.
well, 90% of people on Slashdot don't know what HTTPS is - 90% of the other 10% are probably displaying a rather cock-sure, blissful ignorance. Think about it: a message going from country A to country B, two wifi connections that may or may not be encrypted, two governments that may or may not be intruding, two providers that may be cooperating with the former to varying degrees. If you don't know what https, say away from it. Don't tell anybody they're getting 'cryptography' if you're not able to give them a grounding in all the above. Or else you 'cryptography' will only be good for hiding your stuff from your mum.
And yes, some people who are emailing other people about their revolutionary plans and actions are somebody's grandmother.
Well are they now? When and if grandmothers are getting shot on the streets, DO NOT encourage them to mess around with technology they don't understand, ESP those "who just got her first email last week" (see GP). I'm not taking about messing with the settings - I'm saying just DON'T do it.
Your grandmother's going to get KILLED cos she can't send you apple pie recipes over https?
Why is summary recommending Yahoo in this instance? Last time I checked (10 mins ago) I couldn't get Yahoo mail to use https on regular pages. It seems Hotmail can still use https in the affected countries - as long as you explicitly type it in the address bar. Or use HTTPS Everywhere. Or choose a different country in your profile. So Hotmail is still better than Yahoo?
Hotmail users who browse the web with Firefox may force the use of HTTPS by default—while using any Hotmail location setting—by installing the HTTPS Everywhere Firefox plug-in.
I don't know what Microsoft are thinking here but seeing as it's using the country you set in your profile; not any sort of geoip lookup ... the remedy is simple: just change the country in your profile.
Actually, the author does address that. They key is that the private key would not change when the certificate changes. Unless the MiM has cracked the old cert (in which case you're screwed no matter what), they couldn't impersonate an update that keeps the same private key.
The two scenarios I'm thinking of when either: 1) a government, or 2) someone controlling you local network, manage to pass you fake certs. I can't say if the private key does or doesn't change in these two scenarios but the problem still remains - I'm being alerted to a certificate being renewed and I'm having to check up. You (or the author) don't address the 'whatcouldpossiblygowrong' or the 'escalation of cludginess' issues.
there is, it's called Certificate Revocation and Online Certificate Status Protocol
As has been discussed further down, those two methods are broken. I want to delete the certificates/authorities *as soon as* I find out they are suspect - not wait for a faulty mechanism to check up on certificates that I *already know* are compromised.
Specifically, someone could send back a 500 error when you try to access those sites. Most of today's browsers, on receiving that 500 error, will choose to continue treating the certificate as legit - but will give you almost zero notification that anything is amiss.
The removal of the 'weaker' certs and authorities needs to be scriptable. Connecting to Mozilla updates is bad at the best of times - much much more so in countries where this incident might be more of an issue.
From TFA:
The Comodo breach will force organizations that might replace one or two certificates in a year to swap out nine certificates in a matter of hours - a painstaking and multi-step process that is often handled manually.
Is there *anything* I can download - just a few Kb in size - to patch up my browser when cert issues arrive, rather than waiting for browsers to hard code the strings in 1-20Mb download?
A great article but the author does himself in with the final paragraph:
A much better solution would be for certificates to only be valid for a few days and to forget about revocation altogether.
As someone who spends a lot of time mixing with the 'enemies of the internet' - incl some dodgy states not listed, like India - I've learned to treat my browser downloading a new certificate as an *exceptional* circumstance - something to be looked into. Certificates should be worth something and they should be worth keeping a while. What's with the arbitrary validity anyway. Let the issuers choose the validity on a per-certificate basis. After a while some researcher is going to suggest that 'a few days' is far too long and expose this proposal for the cludge it is.
Then there's the mechanism for reissuing frequently. Tag with 'whatcouldpossiblygowrong'.
If the above proposal gained traction all those MiM government-level adversaries would be delighted.
As it's Grub-compatible, I hope it's going to be easy to add to a multi-boot usb toolkit. Along the lines of: http://www.pendrivelinux.com/boot-multiple-iso-from-usb-multiboot-usb/
Not read TFA but wonder whether these are there:
Aleks Krotoski
http://www.guardian.co.uk/technology/2010/mar/21/austin-heap-haystack-iran Gregg Kiezer
http://news.slashdot.org/story/10/02/21/2329249/Windows-7-Memory-Usage-Critic-Outed-As-Fraud