Wow. I didn't really mean to preach. I'm just saying that my e-mail experiance got lots better once I started running my own server and using that via Eudora. I got tired of paying (this was some time ago) for pop3 that would go down, or webmail that was painful to use.
I also am somewhat weird in that I can count the # of times I *needed* to check my mail away from my primary computer on my fingers. And the number of times I've wanted to I can plan ahead and use my throwaway yahoo address to check my pop3 mail (without deleting from the server).
My basic point is that if I can't get my mail, it's my fault, so I don't get that frustrated, powerless feeling I do when the ISP or whatever mail server goes down. I can do something to fix it.
So GMAIL offers pop3. So what? I've already got that, why should I change? GMAIL offers web acces. So what? I've got that, and I use it all of 4 times a year. Why should I change?
All of this is just my personal preference though. Almost everyone I know prefers web mail (though I'm not sure they know there are other kinds of e-mail), I just don't.
My experiance with webmail so far has been far less than impressive compared to Eudora. GMail web based dislikes Opera, and I don't have any need to change browsers for a service I'm disinclined to want in the first place.
Ummm, IE is already themeable AFAIK - that's what Maxathon is for instance. Also, easy plugins is what BHO's are... IE6 has had these since day one, before FF came out.
I don't know - I like the lack of ads. I like the speed of Eudora on messages on my local machine. I like being able to look through messages and not have to be online. I like the lack of "tags". I like unlimited attachment size. I like GPG plugins.
I like e-mail being separate from websites. I like not having my mail processed to show me ads.(wait I already said that didn't I?)
Oh, wait - I like not getting spam from those people who try every combination of @gmail, @yahoo etc....
And, I like VNC through Java applet for checking my mail or anything elsewhere! Just me though, I like taking the whole interface if I can(which I can do via broadband).
I also like not being more beholden to big companies for my communication.
You know, I have to ask, where are people browsing that they regularily get security, java, or other dialogs popping up? I cannot remember the last time I had a cert/security popup dialog. (wait, yes I can, I was playing around with proxomitron to filter SSL sites)
Whenever I get a pop-up, it's so out of place - I read it to see wtf its about.
You do. The java.policy file. You can set it by URL - for instance, the java sandbox defaults to not allowing net connections to any server but the one you downloaded the file from. You can change that by adding
As you can see, there is a lot of fine grained control allowed there - but you either need to be an admin, or have an admin to set such things per site.
I think some combination of trusted reviewer maintained policy files that can auto update + refusal for additional permissions for non reviewed applets will be necessary. Basically we cannot expect home users to admin their boxes.
Actually, Java has finer grained security than that, set by your.policy file. Back in the day, Java used to have a dialog that rather than asking if you trusted the applet, said:
This applet is requesting additional access prividledges. Do you want to allow it to Read/Write to your disk?
I'm pretty sure it was specific like that, this was in 99 or so on some D&D site that did mapping, when you tried to save a file you would get that in Netscape... I believe that based on the.policy granularity and what I've read in "MALWARE" by Ed Skoudis, Sun could code dialog boxes to say what the applet wanted to do.
Like read/write disk; Access other IP/Domains that where you dl it from; Access browser cookies; and more. That they don't I consider lazyness.
You know, I wonder why people feel that e-mail is unusable. I don't get more than one spam message every 3 months. You know why? I think it's two fold,
one I run my own e-mail server that doesn't get hammered with random addresses cause most people don't know it exists, and
two, I use spamex for the very low price of $10/year to have disposable e-mail addresses. I never give out real e-mail addresses to companies that want me to sign up. I have a button in my browser that opens up the spamex page, and it takes about 10 seconds to create a random e-mail address.
Well, the point I think is that the default would be the browser vendor picks the trusted reviewer, and also requires that at least one of their reviewers claims the applet is safe.
At some point the user does have to take responsibility, but I think this might be more understandable, especially if the boxes and such were clearly labelled. Also, I would think that to trust a reviewer, you'd have to do more than have a pop up dialog with the classic ok/cancel. I'm thinking more like go rather deep into preferences, and install a public key.
Yes, but what exactly is the bug? That it is possible for applets to request more permissions? I mean, this doesn't automatically go - it prompts the user that the application is requesting more prividledges, and isn't signed by anyone. The user then has to grant extra prividledges for it to work. As others have said, this seems to be similar to saying that being able to save files through a browser is a severe bug because you could download and then run a malicious app.
Everyone assumes that this is somehow limited to working on Windows. This particular exploit is, but not the methodology.
Let me explain. Java runs on all platforms mentioned. Assuming you do what the windows user HAS to do for this to work, click OK, then you can download and run a binary. Lets guess that this is a rootkit? Mmmm, 0wn3d.
Lets say it's spyware that runs in userspace. If I understand FF properly, any program running as USER (which this exploit binary started by java would be) can access the FF config files. Guess what, it sets a remote proxy. Instant logging of where you go.
Or, it sets a run in your user startup files(I forget the exact name) for a local proxy it installed, boom better logging.
Or, to get around firewalls, it modifies config files and locally installs an extension, boom BHO on FF on Linux.
This leads to an interesting situation. How would you go about fixing this? I would think that the only way would be to expand the signing to something more like SSL or PGP.
Personally I like PGP style, that way there could be sites (symantec, eset, etc...) + regular people (Mozilla foundation etc) that could verify applets (Java) and sign the applet's key (this would need to be like detached signatures, so specific to ONE binary implementation) as good/safe. And then the browser vendors could trust certain site's while users could add their own trusted reviewers, and only applets signed in that way would run.
Replace the "do you want to run this?" with a box that says - this applet/active content has not been verified to be safe, it will not run and the site may not function as expected. Please contact the site and ask them to submit for review to one or all of the following:.
That's all I can see that would work. I'd personally love to see Opera do this, as they are starting to lead the way with white listed registrars for IDNs, this is a logical extension.
Also, this would allow more security over one reviewer going rogue because you could require that 2 or more trusted reviewers claim the active content is safe, or allow users/browser vendors to invalidate reviewers that play games...
But I do agree with you about duties to society. That is why I am fine with compelling testimony in wrongs against society - ie, crimes. I just think that the rules ought to be different for private matters - that the state ought to stay out of private matters as much as possible. Now, if they want to make contract law criminal law (which I think would be wrong) that would change my statement.
Yes, I do think that. There could be any number of reasons I don't want to testify, and no one person is any better than any other, to compel me to do something I don't want to.
I also believe that courts shouldn't force morality on someone - to force me to help someone hurt. I should be able to make that decision on my own.
I also think they ought to be able to sue me if I refuse, but I think it most likely would be thrown out of court as I have no obligation to a stranger.
Mmmm, why is Trillian's IM encryption not secure? Anyway it doesn't help me as not everyone will use trillian. I need some non spyware, non breaking direct connect/file transfer encryption that will work for at least Trillian and AIM clients on the AIM network.
Right, I know that they are not being held liable. I am basically arguing against a lot of posters who think they should be. I'm also not arguing the law, but what I think the law should be.
I do have problems with people being supenaed (coerced to testify) in any way for private wrongs. I believe obstruction of justice or the requirement to give out relevant information should be limited to criminal cases.
This brings up another issue I hadn't thought of. This isn't a criminal proceding. Society HASN'T been harmed, or it would have been a crime rather than a tort. Should individuals have the right to place people in jail for obstruction of justice in regards to personal wrongs?
Torts should be strictly NON-JAIL. No matter how they touch, unless a crime is found.
I agree with having to provide evidence to help solve crimes - where society is wronged.
I don't think I should be compelled in the same way to help an individual if I don't want to.
I also think it's crazy that I have no liability to leaving a stranger to die on the street (assuming I'm just walking along[Note the example is for NYS law only - as I was informed by a Criminal Lawyer]) but I do have a liability to keep their secrets for them[in California at least].
I would not describe the printing of illegally obtained information for a profit to be "simply telling the truth".
But is someone telling you information illegial? I mean, breaking into a place, either physically or electronically to get info makes the info definately illegially obtained.
However, someone telling you something at a general e-mail address is entirely different.
I do have to ask how he's doing that. I think it makes a big difference. I mean, if I put out an ad, or on a website - send me info on stuff - that's very different than seeking out, contacting and encouraging employees under an NDA to break their contract and the law. I think the former ought to be ok, while the latter should be inciting a crime, or conspiracy to commit or whatever the civil term is.
I think the point is that asking someone for information should not be illegial. It doesn't matter what it is. Now, if the idiot tells you protected information, he is liable for being stupid. However, he - and anyone else who wanted it kept secret - is ought to be SOL.
I mean, again, I have no interest in keeping the information secret. And I have no contract about keeping it secret.
The only way I could agree with this legal setup is if there was conspiracy to commit a crime. I would say it's the difference between asking if anything interesting is going on (Ok IMHO) and saying "Get me the latest Schematics on the new release for ConX, and I'll cut you in on the ad sales".
Now, I don't know if these people were specifically going to employees place of work or stopping them on the street bugging for info or just had a website that said "Email Info here!". If it's the latter, I really have a hard time holding the people liable for keeping a secret.
I dont get this - why would I ethically be bound to protect other people's secrets that they failed to protect (keep from me)? Especially if they are strangers to me?
I mean, it's human nature to spread rumors, and people saying they can confirm the rumors with jucier details always have talking time.
Even worse is being legally liable for contracts involving corporations I am not party to. I mean, that doesn't sound chilling to free speech? Now, because I'm not an expert - I will be afraid to pass on any info I hear about a company that isn't already widely discussed. How would I know if it's a trade secret? I'm not a lawyer, and no company has ever posted (that I'm aware of) titles or something about what is a protected trade secret. I cannot see how this can work in any fair manner.
Slashdot Mirror
Wow. I didn't really mean to preach. I'm just saying that my e-mail experiance got lots better once I started running my own server and using that via Eudora. I got tired of paying (this was some time ago) for pop3 that would go down, or webmail that was painful to use.
I also am somewhat weird in that I can count the # of times I *needed* to check my mail away from my primary computer on my fingers. And the number of times I've wanted to I can plan ahead and use my throwaway yahoo address to check my pop3 mail (without deleting from the server).
My basic point is that if I can't get my mail, it's my fault, so I don't get that frustrated, powerless feeling I do when the ISP or whatever mail server goes down. I can do something to fix it.
So GMAIL offers pop3. So what? I've already got that, why should I change? GMAIL offers web acces. So what? I've got that, and I use it all of 4 times a year. Why should I change?
All of this is just my personal preference though. Almost everyone I know prefers web mail (though I'm not sure they know there are other kinds of e-mail), I just don't.
My experiance with webmail so far has been far less than impressive compared to Eudora. GMail web based dislikes Opera, and I don't have any need to change browsers for a service I'm disinclined to want in the first place.
I ask again, isn't Maxathon basically an advanced IE skin + extension bundle? And aren't BHOs the same as extensions?
Ummm, IE is already themeable AFAIK - that's what Maxathon is for instance. Also, easy plugins is what BHO's are... IE6 has had these since day one, before FF came out.
I see you can't even read my earlier post in this thread.
I don't know - I like the lack of ads. I like the speed of Eudora on messages on my local machine. I like being able to look through messages and not have to be online. I like the lack of "tags". I like unlimited attachment size. I like GPG plugins.
I like e-mail being separate from websites. I like not having my mail processed to show me ads.(wait I already said that didn't I?)
Oh, wait - I like not getting spam from those people who try every combination of @gmail, @yahoo etc....
And, I like VNC through Java applet for checking my mail or anything elsewhere! Just me though, I like taking the whole interface if I can(which I can do via broadband).
I also like not being more beholden to big companies for my communication.
And me, the why should I switch from my own POP3/Imap/Webmail server? I hate webmail !
You know, I have to ask, where are people browsing that they regularily get security, java, or other dialogs popping up? I cannot remember the last time I had a cert/security popup dialog. (wait, yes I can, I was playing around with proxomitron to filter SSL sites)
Whenever I get a pop-up, it's so out of place - I read it to see wtf its about.
I must just browse unusual sites I guess...
Ummm, only enable Java on sites where you expect to use it? Or, only give additional prividledges to applets you actually trust? . . .
You do. The java .policy file. You can set it by URL - for instance, the java sandbox defaults to not allowing net connections to any server but the one you downloaded the file from. You can change that by adding
grant codeBase "http://foo.net/-" {
permission java.lang.RuntimePermission "usePolicy";
permission java.net.SocketPermission "*", "accept,listen,connect,resolve";
};
As you can see, there is a lot of fine grained control allowed there - but you either need to be an admin, or have an admin to set such things per site.
I think some combination of trusted reviewer maintained policy files that can auto update + refusal for additional permissions for non reviewed applets will be necessary. Basically we cannot expect home users to admin their boxes.
Actually, Java has finer grained security than that, set by your .policy file. Back in the day, Java used to have a dialog that rather than asking if you trusted the applet, said:
.policy granularity and what I've read in "MALWARE" by Ed Skoudis, Sun could code dialog boxes to say what the applet wanted to do.
This applet is requesting additional access prividledges. Do you want to allow it to Read/Write to your disk?
I'm pretty sure it was specific like that, this was in 99 or so on some D&D site that did mapping, when you tried to save a file you would get that in Netscape... I believe that based on the
Like read/write disk;
Access other IP/Domains that where you dl it from;
Access browser cookies;
and more. That they don't I consider lazyness.
You know, I wonder why people feel that e-mail is unusable. I don't get more than one spam message every 3 months. You know why? I think it's two fold,
one I run my own e-mail server that doesn't get hammered with random addresses cause most people don't know it exists, and
two, I use spamex for the very low price of $10/year to have disposable e-mail addresses. I never give out real e-mail addresses to companies that want me to sign up. I have a button in my browser that opens up the spamex page, and it takes about 10 seconds to create a random e-mail address.
Well, the point I think is that the default would be the browser vendor picks the trusted reviewer, and also requires that at least one of their reviewers claims the applet is safe.
At some point the user does have to take responsibility, but I think this might be more understandable, especially if the boxes and such were clearly labelled. Also, I would think that to trust a reviewer, you'd have to do more than have a pop up dialog with the classic ok/cancel. I'm thinking more like go rather deep into preferences, and install a public key.
Yes, but what exactly is the bug? That it is possible for applets to request more permissions? I mean, this doesn't automatically go - it prompts the user that the application is requesting more prividledges, and isn't signed by anyone. The user then has to grant extra prividledges for it to work. As others have said, this seems to be similar to saying that being able to save files through a browser is a severe bug because you could download and then run a malicious app.
Everyone assumes that this is somehow limited to working on Windows. This particular exploit is, but not the methodology.
Let me explain. Java runs on all platforms mentioned. Assuming you do what the windows user HAS to do for this to work, click OK, then you can download and run a binary. Lets guess that this is a rootkit? Mmmm, 0wn3d.
Lets say it's spyware that runs in userspace. If I understand FF properly, any program running as USER (which this exploit binary started by java would be) can access the FF config files. Guess what, it sets a remote proxy. Instant logging of where you go.
Or, it sets a run in your user startup files(I forget the exact name) for a local proxy it installed, boom better logging.
Or, to get around firewalls, it modifies config files and locally installs an extension, boom BHO on FF on Linux.
This leads to an interesting situation. How would you go about fixing this? I would think that the only way would be to expand the signing to something more like SSL or PGP.
.
Personally I like PGP style, that way there could be sites (symantec, eset, etc...) + regular people (Mozilla foundation etc) that could verify applets (Java) and sign the applet's key (this would need to be like detached signatures, so specific to ONE binary implementation) as good/safe. And then the browser vendors could trust certain site's while users could add their own trusted reviewers, and only applets signed in that way would run.
Replace the "do you want to run this?" with a box that says - this applet/active content has not been verified to be safe, it will not run and the site may not function as expected. Please contact the site and ask them to submit for review to one or all of the following:
That's all I can see that would work. I'd personally love to see Opera do this, as they are starting to lead the way with white listed registrars for IDNs, this is a logical extension.
Also, this would allow more security over one reviewer going rogue because you could require that 2 or more trusted reviewers claim the active content is safe, or allow users/browser vendors to invalidate reviewers that play games...
But I do agree with you about duties to society. That is why I am fine with compelling testimony in wrongs against society - ie, crimes. I just think that the rules ought to be different for private matters - that the state ought to stay out of private matters as much as possible. Now, if they want to make contract law criminal law (which I think would be wrong) that would change my statement.
Yes, I do think that. There could be any number of reasons I don't want to testify, and no one person is any better than any other, to compel me to do something I don't want to.
I also believe that courts shouldn't force morality on someone - to force me to help someone hurt. I should be able to make that decision on my own.
I also think they ought to be able to sue me if I refuse, but I think it most likely would be thrown out of court as I have no obligation to a stranger.
Well, as long as it works with both Trillian and AOL's client, I would use that. What about SIMP?
Mmmm, why is Trillian's IM encryption not secure? Anyway it doesn't help me as not everyone will use trillian. I need some non spyware, non breaking direct connect/file transfer encryption that will work for at least Trillian and AIM clients on the AIM network.
Right, I know that they are not being held liable. I am basically arguing against a lot of posters who think they should be. I'm also not arguing the law, but what I think the law should be.
I do have problems with people being supenaed (coerced to testify) in any way for private wrongs. I believe obstruction of justice or the requirement to give out relevant information should be limited to criminal cases.
This brings up another issue I hadn't thought of. This isn't a criminal proceding. Society HASN'T been harmed, or it would have been a crime rather than a tort. Should individuals have the right to place people in jail for obstruction of justice in regards to personal wrongs?
Torts should be strictly NON-JAIL. No matter how they touch, unless a crime is found.
I agree with having to provide evidence to help solve crimes - where society is wronged.
I don't think I should be compelled in the same way to help an individual if I don't want to.
I also think it's crazy that I have no liability to leaving a stranger to die on the street (assuming I'm just walking along[Note the example is for NYS law only - as I was informed by a Criminal Lawyer]) but I do have a liability to keep their secrets for them[in California at least].
I would not describe the printing of illegally obtained information for a profit to be "simply telling the truth".
But is someone telling you information illegial? I mean, breaking into a place, either physically or electronically to get info makes the info definately illegially obtained.
However, someone telling you something at a general e-mail address is entirely different.
I do have to ask how he's doing that. I think it makes a big difference. I mean, if I put out an ad, or on a website - send me info on stuff - that's very different than seeking out, contacting and encouraging employees under an NDA to break their contract and the law. I think the former ought to be ok, while the latter should be inciting a crime, or conspiracy to commit or whatever the civil term is.
I think the point is that asking someone for information should not be illegial. It doesn't matter what it is. Now, if the idiot tells you protected information, he is liable for being stupid. However, he - and anyone else who wanted it kept secret - is ought to be SOL.
I mean, again, I have no interest in keeping the information secret. And I have no contract about keeping it secret.
The only way I could agree with this legal setup is if there was conspiracy to commit a crime. I would say it's the difference between asking if anything interesting is going on (Ok IMHO) and saying "Get me the latest Schematics on the new release for ConX, and I'll cut you in on the ad sales".
Now, I don't know if these people were specifically going to employees place of work or stopping them on the street bugging for info or just had a website that said "Email Info here!". If it's the latter, I really have a hard time holding the people liable for keeping a secret.
I dont get this - why would I ethically be bound to protect other people's secrets that they failed to protect (keep from me)? Especially if they are strangers to me?
I mean, it's human nature to spread rumors, and people saying they can confirm the rumors with jucier details always have talking time.
Even worse is being legally liable for contracts involving corporations I am not party to. I mean, that doesn't sound chilling to free speech? Now, because I'm not an expert - I will be afraid to pass on any info I hear about a company that isn't already widely discussed. How would I know if it's a trade secret? I'm not a lawyer, and no company has ever posted (that I'm aware of) titles or something about what is a protected trade secret. I cannot see how this can work in any fair manner.