Then get a "laptop sleeve" for your laptop.
When hiking around, stick both laptop (in sleeve), and camera (in its small camera bag) into your backpack.
Added bonus: there's also space for your lunch box, an extra set of clothes, water bottle, or whatever else you might need on a hike. And when you reach a scenic stretch of trail, take your camera out of the backpack, and put it around your neck (or on belt), so it's easily accessible without having to stop every 20m to take your camera... And when you reach a more boring stretch, back it goes into the backpack where it's easier to carry.
"We want to see who is doing a great job at enforcing the peace! Better law enforcement through publicity! We need his name and picture! After all, he has nothing to hide right? Right?"
He doesn't want to hide from the public, but rather from his colleagues (maybe he is not actually allowed to share this detail with the public, so he must remain anonymous to avoid reprisals from within the force)
Lighten up. It's a goddam T-Shirt. And one you got for free. You see the new picture when you take it out of the washing machine... before you would put it on and embarrass yourself in public. It's not as if this was changing while you're wearing it (reacting to body heat and sweat), making you unaware of the message that you're displaying.
Now, for some truly bad mischief, print a T-Shirt which changes into a cartoon of kiddie porn. Even if it happens in the privacy of the victim's home, the damage would still be done: indeed, legally the victim would not even be allowed to throw it away, as that would be destruction of evidence...
The original T-Shirt had "Hardcore Rebellen, National und Frei" on it. Unless you already know who "Hardcore Rebellen" is, it's hard to figure out that this is a right-wing extremist group.
Well, maybe the word "National" may tip somebody off, but so many other things which have nothing to do with right-wing extremism have "national" in their name too, so you really have to already be looking for tell-tale signs to spot this. And the "tough" logo with skull and flags would look like generic rocker/biker wear to the uninitiated.
However, after the wash, the "We'll help to free you from right-wing extremism." is pretty obvious...
Gmail occasionally ends up on spam block lists too, and it is deserved too.
The only reason why you might see it blocked less often is because some people wrongly think that it is "too big to fail".
A properly run small mail server does not get blocked, unless you actually do send out spam (... or are really careless in choosing your hosting provider).
Think about it: how did people do it before gmail came along? All those comments make it sound as is setting up a working email server was rocket science. Come on guys, this is supposed to be a site for geeks...
I'm not sure whether you're just trolling, or whether you seriously are looking for this information, but here is the CA Certificate Policy for mozilla browsers. Other browsers have similar policies. If you run a "new" certification authority, it's difficult to get your root cert included into browsers. Just ask the fine folks at cacert.org what kind of uphill battle they have to face.
Of course, the real problem is "old" CAs who have been "grandfathered" in, because "they are too big to be excluded". But that doesn't mean that auditing requirements are just a fairy tale "belief". They are very real, especially for the more recent CAs
Hmm. Isn't it possible to create a Web-of-trust system requiring a certain amount of independent validations of a certain peer?
This is certainly possible, but the difficulty lies in fine-tuning the parameters to attain the security even against a coordinated attack, while still keeping the system usable by small-time web site operators, which may not have the resources to get signed by 1000 trusted peers.
Also, validity of the certificate will be in the eye of the beholder ("how many paths lead from me to you, and how independent are they from each other?"), so it will be a nightmare for a website admin to test whether their certificate is good enough for a large enough percentage of visitors.
Apply for a validated cert, you'll see that they all use the exact same procedure (which is to check some well-known company registry) - they don't do actual validation themselves.
One would hope that in addition to checking the company registry, they would check some photo id of the requester, or else any crook could look up who is the CEO of the target company, and claim to be him...
Having it done twice won't change anything, except more money in more pockets.
It may protect against sloppiness by one of the CAs (such as the case when Microsoft certificates were accidentally issued to crooks), or dishonesty of one of the CAs (such as a CA run by a foreing government wanting to do industrial espionage).
As far as I know, it is not true to say that CAs are audited, and in fact there are well-known problems with CAs signing stuff that they shouldn't.
Yes, there indeed problems with current CAs despite the strict auditing requirements. However, do you believe that not requiring any audit whatsoever, and allowing basically everybody and his mom to be a CA would make things any better?
but you can also require multiple signatures
That's a good point. However, it is non-trivial to figure out the amount of signatures that both
keeps the system usable, even for small and little known sites
is resistant against a dedicated attacker, who works with multiple agents to create his fake banking certificates
You might, for instance, require that two of the current CAs have signed a certificate before it lights up as "green" in a browser URL bar.
Good, so that would solve the security angle of the current CAs, but would make the price angle worse (now sites will effectively have to pay 2 different CAs to get a valid certificate...)
A recent evaluation showed that 80% of sites with certificates did not have them set up properly anyway.
As someone else already pointed out, browsers by default do not even warn you if a site's cert is invalid.
Could you elaborate on this? Which are these certificate configuration problems which browsers don't even warn you about?
Most browsers to warn about the following:
Requested host name does not match name in certificate
Certification authority not trusted by browser (which includes badly set up chained certificates, unless the browser already knows the intermediate CA through a previously visited site)
Why do you think we have to type in a 64-character passphrase every time we start Apache on the secure servers, before they can unlock the secret RSA key, get added to the load balancer, and start answering requests?
No... breaking into my server does not let you pretend to be me.
If somebody rooted your server, they could attach a gdb to the already running Apache process, in order to grab the already-decrypted private RSA key from memory.
All this passphrase protects against is exploits which need rebooting the server, or maybe physically stealing the server. However, most exploits don't depend on rebooting the server.
Won't work, as long as spammers and scammers can cheaply create phony entities in the web of trust. It's exactly the same problem as link farms.
Could you please elaborate on this?
It takes only one member of the web of trust who either inadvertently or deliberately signs a bad certificate to make the whole thing collapse. Effectively, all members of the web-of-trust are not only certified identities, but also certification authorities (as each member has the power to vouch for further members).
In the "real world", certification authorities must pass very stringent audits in order to make sure that they know and correctly implement their responsibilities. With a web of trust, anybody can become a CA, if he attends a key signing party...
This works for PGP, because the stakes are low, and so crooks are uninterested to subvert it, but you can bet that if a web-of-trust system will be used to sign SSL certificates, all the phishers will have "valid" certificates of all the banks in no time...
Just remember how little time it took for spammers to get gmail accounts, even at the time when you still needed "invites" to join...
1) Stop selling the idea that certificates "verify" who you're talking to. They don't. They never did. As soon as I compromise your server -- easily done, as history shows -- I have your certificate. If it is remote across your network, a little more work, but still, soon I'll have it. Now you have still encryption of the intermediate channel, but the wrong person is catching the data.
... and certificates don't cure AIDS either. But that's not what they're supposed to be used for.
Certificates are meant to secure the communication channel, in order to make sure no unauthorized third party taps in the middle. If the end points are compromised (server or client workstation), all bets are off.
That's why organization that care (such as some banks) make damn sure that their servers are secure, and cannot be compromised. A bank however has no jurisdiction on the path from its customers to its servers, so it cannot make sure that no router at an ISP or Wifi access point at a coffee shop is compromised. That's where SSL and certificates come in: making sure that the communication is secure, even if some nodes on the route are compromised. However, it doesn't protect against compromise of end points, and never was meant to.
3) Stop "allowing" certificates at all. We can easily make them at zero cost, and we should. The whole "Verisign" thing is a complete and utter scam, and always has been, one with the collusion of the browser makers with the fake warnings and "scare the user" policies. Giving ownership of the encrypted data channel to profit making operations was a stupid, stupid move, and has served only to cripple e-commerce from the day it began -- it's one more useless and endless cost for the small entrepreneur to have to absorb, and therefore in the end, the consumer.
You can get cheap certificates at startssl.com . Basic one-site certificates (no wildcard, no subject alt names) are free, anything more fancy costs 59.90$ per identified user (but unlimited number of certificates... great for hobby hosting operators!)
Further, it has evolved into a higher stakes / cost game of buying that little green verification bar in some browsers. Scams upon scams.
... and even that, you can get from startssl.com (if you feel you need it), but it's more expensive.
Of course as a KDE user myself I want to ask why he didn't switch to KDE instead
Maybe he's still traumatized by the botched change from KDE3 to KDE4 (where it took almost 2 years for KDE4 to stabilize, after it was already shipping in mainstream distributions...).
Gnome didn't invent these shenanigans, they're just following KDE's suite!
Do you really think that those extortionate sites would dare to bother such hard core criminals? Just scan your Rotary membership card, and email it to the site admin, and your mugshot will be gone in no time!
Slashdot Mirror
When hiking around, stick both laptop (in sleeve), and camera (in its small camera bag) into your backpack.
Added bonus: there's also space for your lunch box, an extra set of clothes, water bottle, or whatever else you might need on a hike. And when you reach a scenic stretch of trail, take your camera out of the backpack, and put it around your neck (or on belt), so it's easily accessible without having to stop every 20m to take your camera... And when you reach a more boring stretch, back it goes into the backpack where it's easier to carry.
"We want to see who is doing a great job at enforcing the peace! Better law enforcement through publicity! We need his name and picture! After all, he has nothing to hide right? Right?"
He doesn't want to hide from the public, but rather from his colleagues (maybe he is not actually allowed to share this detail with the public, so he must remain anonymous to avoid reprisals from within the force)
Yes!!!!!!! Does anybody know the address of a shop where you can get these printed?
Now, for some truly bad mischief, print a T-Shirt which changes into a cartoon of kiddie porn. Even if it happens in the privacy of the victim's home, the damage would still be done: indeed, legally the victim would not even be allowed to throw it away, as that would be destruction of evidence...
And anybody wants to chip in for some t-shirts to give away at the next Micro$oft conference?
The original T-Shirt had "Hardcore Rebellen, National und Frei" on it. Unless you already know who "Hardcore Rebellen" is, it's hard to figure out that this is a right-wing extremist group.
Well, maybe the word "National" may tip somebody off, but so many other things which have nothing to do with right-wing extremism have "national" in their name too, so you really have to already be looking for tell-tale signs to spot this. And the "tough" logo with skull and flags would look like generic rocker/biker wear to the uninitiated.
However, after the wash, the "We'll help to free you from right-wing extremism." is pretty obvious...
Do you mean a cross cable?
ha!
In the UK only specially trained police oficers are allowed to carry guns.
Apparently this "special training" does not prevent them from shooting their colleague's walky-talky instead of the intended target...
that means somebody had a gun who shouldn't have.
Indeed. Only policemen who are good enough marksmen to not accidentally fire on their colleagues should have guns...
The only reason why you might see it blocked less often is because some people wrongly think that it is "too big to fail".
A properly run small mail server does not get blocked, unless you actually do send out spam (... or are really careless in choosing your hosting provider).
Think about it: how did people do it before gmail came along? All those comments make it sound as is setting up a working email server was rocket science. Come on guys, this is supposed to be a site for geeks...
No.... the system runs at securelevel 2. It's not possible to run gdb, trace any process, or access raw memory from user programs, or a root shell.
What if somebody subverts the securelevel, and then fires up gdb?
In addition, veriexec is enabled at level 1, and most filesystems are read-only: upgrades are handled by imaging entire filesystems.
What if the intruder subverts veriexec, and remounts the filesystems read-write?
Of course, the real problem is "old" CAs who have been "grandfathered" in, because "they are too big to be excluded". But that doesn't mean that auditing requirements are just a fairy tale "belief". They are very real, especially for the more recent CAs
Hmm. Isn't it possible to create a Web-of-trust system requiring a certain amount of independent validations of a certain peer?
This is certainly possible, but the difficulty lies in fine-tuning the parameters to attain the security even against a coordinated attack, while still keeping the system usable by small-time web site operators, which may not have the resources to get signed by 1000 trusted peers.
Also, validity of the certificate will be in the eye of the beholder ("how many paths lead from me to you, and how independent are they from each other?"), so it will be a nightmare for a website admin to test whether their certificate is good enough for a large enough percentage of visitors.
Apply for a validated cert, you'll see that they all use the exact same procedure (which is to check some well-known company registry) - they don't do actual validation themselves.
One would hope that in addition to checking the company registry, they would check some photo id of the requester, or else any crook could look up who is the CEO of the target company, and claim to be him...
Having it done twice won't change anything, except more money in more pockets.
It may protect against sloppiness by one of the CAs (such as the case when Microsoft certificates were accidentally issued to crooks), or dishonesty of one of the CAs (such as a CA run by a foreing government wanting to do industrial espionage).
As far as I know, it is not true to say that CAs are audited, and in fact there are well-known problems with CAs signing stuff that they shouldn't.
Yes, there indeed problems with current CAs despite the strict auditing requirements. However, do you believe that not requiring any audit whatsoever, and allowing basically everybody and his mom to be a CA would make things any better?
but you can also require multiple signatures
That's a good point. However, it is non-trivial to figure out the amount of signatures that both
You might, for instance, require that two of the current CAs have signed a certificate before it lights up as "green" in a browser URL bar.
Good, so that would solve the security angle of the current CAs, but would make the price angle worse (now sites will effectively have to pay 2 different CAs to get a valid certificate...)
A recent evaluation showed that 80% of sites with certificates did not have them set up properly anyway.
As someone else already pointed out, browsers by default do not even warn you if a site's cert is invalid.
Could you elaborate on this? Which are these certificate configuration problems which browsers don't even warn you about?
Most browsers to warn about the following:
So, which common problem do they not warn about?
Why do you think we have to type in a 64-character passphrase every time we start Apache on the secure servers, before they can unlock the secret RSA key, get added to the load balancer, and start answering requests?
No... breaking into my server does not let you pretend to be me.
If somebody rooted your server, they could attach a gdb to the already running Apache process, in order to grab the already-decrypted private RSA key from memory.
All this passphrase protects against is exploits which need rebooting the server, or maybe physically stealing the server. However, most exploits don't depend on rebooting the server.
Perspectives alerts you to the changed cert in this scenario.
Not if the MITM was already present the first time that perspectives tries to validate the cert.
Won't work, as long as spammers and scammers can cheaply create phony entities in the web of trust. It's exactly the same problem as link farms.
Could you please elaborate on this?
It takes only one member of the web of trust who either inadvertently or deliberately signs a bad certificate to make the whole thing collapse. Effectively, all members of the web-of-trust are not only certified identities, but also certification authorities (as each member has the power to vouch for further members).
In the "real world", certification authorities must pass very stringent audits in order to make sure that they know and correctly implement their responsibilities. With a web of trust, anybody can become a CA, if he attends a key signing party...
This works for PGP, because the stakes are low, and so crooks are uninterested to subvert it, but you can bet that if a web-of-trust system will be used to sign SSL certificates, all the phishers will have "valid" certificates of all the banks in no time...
Just remember how little time it took for spammers to get gmail accounts, even at the time when you still needed "invites" to join...
1) Stop selling the idea that certificates "verify" who you're talking to. They don't. They never did. As soon as I compromise your server -- easily done, as history shows -- I have your certificate. If it is remote across your network, a little more work, but still, soon I'll have it. Now you have still encryption of the intermediate channel, but the wrong person is catching the data.
... and certificates don't cure AIDS either. But that's not what they're supposed to be used for.
Certificates are meant to secure the communication channel, in order to make sure no unauthorized third party taps in the middle. If the end points are compromised (server or client workstation), all bets are off.
That's why organization that care (such as some banks) make damn sure that their servers are secure, and cannot be compromised. A bank however has no jurisdiction on the path from its customers to its servers, so it cannot make sure that no router at an ISP or Wifi access point at a coffee shop is compromised. That's where SSL and certificates come in: making sure that the communication is secure, even if some nodes on the route are compromised. However, it doesn't protect against compromise of end points, and never was meant to.
3) Stop "allowing" certificates at all. We can easily make them at zero cost, and we should. The whole "Verisign" thing is a complete and utter scam, and always has been, one with the collusion of the browser makers with the fake warnings and "scare the user" policies. Giving ownership of the encrypted data channel to profit making operations was a stupid, stupid move, and has served only to cripple e-commerce from the day it began -- it's one more useless and endless cost for the small entrepreneur to have to absorb, and therefore in the end, the consumer.
You can get cheap certificates at startssl.com . Basic one-site certificates (no wildcard, no subject alt names) are free, anything more fancy costs 59.90$ per identified user (but unlimited number of certificates... great for hobby hosting operators!)
Further, it has evolved into a higher stakes / cost game of buying that little green verification bar in some browsers. Scams upon scams.
... and even that, you can get from startssl.com (if you feel you need it), but it's more expensive.
Of course as a KDE user myself I want to ask why he didn't switch to KDE instead
Maybe he's still traumatized by the botched change from KDE3 to KDE4 (where it took almost 2 years for KDE4 to stabilize, after it was already shipping in mainstream distributions...).
Gnome didn't invent these shenanigans, they're just following KDE's suite!
... whose palms were greased to secure the signature of those dodgy contracts in the first place?
it has not been always showing Earth the same face
Yes, that's why, in the olden days, the moon used to be called "full frontal nudity"...
a Rotary club membership
Do you really think that those extortionate sites would dare to bother such hard core criminals? Just scan your Rotary membership card, and email it to the site admin, and your mugshot will be gone in no time!