It depends. Just replace "one homosexual friend" with dozens of homosexual friends, and then the one homophobe friend will start drawing conclusions about yourself... Which may be more serious, if you're not out yet yourself.
If you have two sticks of different color and you put one in a box before the other and shake the box, it doesn't change the outcome of pulling out the red stick.
Probability is all about what you know and what you don't.
Of course, if you already have the info that both sticks are of a different color, then the probability of pulling out another red stick (boy) after you've already got a red one is exactly 0.
However, if you only knew that:
There are only red and blue sticks
The box contains two sticks
There is (at least) one red stick in
... then the probability for the other to be red as well would indeed be only 1/3.
The key here however is how you find out about 3. If it is by pulling out one stick, you'd have established an order (the order with which you pull sticks out), so the probability for the other one to be red would only be 1/2.
However, if the (trustworthy) game-show host would tell you that there is (at least) one red stick in the box, this wouldn't establish an order among sticks, and so the probability of their being 2 red sticks would be only 1/3.
That's why browsers are starting to add things like ForceTLS, which will add an interface so you can tell the browser to only visit a site with SSL
Those users most likely not to notice the lock icon will not know about this, and not know for which site they'd need to set this.
and for the website to the tell the browser (for a fixed time) to visit the site only with SSL.
Many big sites use SSL only on certain pages. So either the protocol's granularity is the domain, and those sites are screwed (either can't use the feature, or incur the SSL overhead even on those pages that don't need it), or the granularity is finer (precise URL within site) and the man-in-the-middle will just set up a fake login on a URL in the domain that is not marked "SSL only".
And many large sites (Facebook, I'm looking at you) don't care about making it obvious to users that they use SSL: the default login form is on a plain HTTP page, and even though the submission URL is actually SSL, there is no easy way (short of view source) for the user to check that this is (still) the case.
Case in point: a while back, a friend of mine asked me to help him find out his estranged wife's Facebook password. He still had control over her Internet router. We set up a man-in-the-middle which just patched the Facebook login form to submit over plain HTTP rather than HTTPS, and she didn't notice anything...
Certs should be issued by the government, like passports - for a reasonable fee.
Given how far behind most governments are in technological matters, these certificates would be supplied on hardware dongles for which only a 16-bit driver for Windows 3.11 is available. And the fee would only become reasonable after the population ignored the scheme for 2 years.
And specs would be closed to anybody, except to those who volunteer to give the phat sysadmin of the CA some sexual favours, and even then they'd be far from complete...
So, be careful what you wish for! These stains are very hard to clean off the back seat of your car.
On first connection to a given server does provide the server key's fingerprint, which you can (and should) verify against a reference obtained out of band.
And if ever the server's key changes later on, the client will warn you very loudly about it.
So ssh does give you some assurance that you are talking to the server you think you should be talking to.
Of course, somebody could still have rooted the server, or the server admin himself could be shady, but to protect against these is not the purpose of the certificate (even though it is frequently misunderstood as such).
Encrypted, but not verified -- secure against passive listening, but not against MITM, no certificate needed, not even a self-signed-one.
You mean, with a public/private key pair generated completely on the fly?
(a self-signed certificate is pointless anyway, it's a digital document saying "I'm mr X, honest, because I say so", which is a null statement really)
It's still useful, because the browser will warn you whenever it changes, like is the case with ssh.
With a self-signed certificate, you will get a warning the first time (and you get the opportunity to manually double-check the fingerprint against a reference obtained out-of-band), and from then on no warning until it changes (which will raise red flags if there was no good reason for such a change).
With a public/private key generated on the fly, you'd see a change on each visit.
the exception you are required to add ALSO changes the security mode used for Javascript!
Oops, that's bad!
Firefox, why are you doing such nonsense? It's already annoying enough that SSL has the side-effect of messing with browser history, but this really takes the cake! All an attacker would have to do is to make his (gaming, forum, phun,...) site an SSL site (... with a deliberately bad certificate), and suddenly he gets handed the keys to the kingdom!
Sure, if the domains don't match you don't have verification, but the communication is still encrypted, and if you happen to control both ends of the exchange, that's all you need.
Nope, you'd also need to control the middle. Or else the middle might pretend to be the server to the client, and pretend to be the client to the server, negotiating a different session key with each, and none of the client or server would be the wiser.
So client or server need a way to make sure to verify that they are indeed directly speaking the the server, without anybody in the middle listening in. Such verification can be done either via an additional secure channel (client knows server's public key beforehand) or via a trusted third party that sign's the servers' public keys.
. this is the same as saying "I have just tossed a 10 pence coin and it has come up heads, what is the probability that another coin toss will come up heads?"
Nope, it is equivalent to "I have just tossed a 10 pence coin twice, and I tell you that it has come up heads at least once, what is the probability that it has come up heads twice".
The 2/3 vs 1/3 probability hinges on the fact that the ordering of the kids is not defined.
If the kid's father told you "my oldest child is a boy", then you would be right.
Unfortunately, any defined order can play that role ("the first of his kids that I met in person", "the first of his kids that he mentioned",...), which makes this problem so hard to grasp. Depending on exactly in which context he mentioned that one of his kids was a boy may change the probability of the other being a boy too from 1/2 to 1/3 or any value in between.
Maybe now is the perfect time that we, the customers, drop our support for Chase Bank, withdraw all our money, and place it at more trustworthy places, because obviously Chase has no idea about security.
My God, in those post-fall-2008 days, how foolish can a bank be to chase customers away in this manner? Let Darwin take over, and let's hope they won't get a "too big to fail" bailout. They don't deserve it.
If you hold stock in Chase, now is the time to sell. And if you don't, but want to make a quick buck, now is the time to short it.
How would that work? If somebody replies to your post, that means that you have made a post, which means that you can no longer mod.
... unless you mod unrelated posts by the same person in another story, but such behaviour is usually frowned upon...: a post should be modded in its own right (i.e. being in reply to the right post), not for rewarding/punishing the poster (...having done another post which is worth modding)
Slashdot Mirror
not a serious privacy problem
It depends. Just replace "one homosexual friend" with dozens of homosexual friends, and then the one homophobe friend will start drawing conclusions about yourself... Which may be more serious, if you're not out yet yourself.
via niece, church or whatever
You'd better not mention church...
We gay people don't see matters so narrowly... We'd see such a situation as a wonderful excuse for a threesome :-)
Such "gas station" situations can happen... but frankly, what is the probability? Probably less than 1% .
However, with the hotmail situation, there is 100% probability that she will notice your "new" friendship when she logs in next time.
If you have two sticks of different color and you put one in a box before the other and shake the box, it doesn't change the outcome of pulling out the red stick.
Probability is all about what you know and what you don't.
Of course, if you already have the info that both sticks are of a different color, then the probability of pulling out another red stick (boy) after you've already got a red one is exactly 0.
However, if you only knew that:
The key here however is how you find out about 3. If it is by pulling out one stick, you'd have established an order (the order with which you pull sticks out), so the probability for the other one to be red would only be 1/2.
However, if the (trustworthy) game-show host would tell you that there is (at least) one red stick in the box, this wouldn't establish an order among sticks, and so the probability of their being 2 red sticks would be only 1/3.
That's why browsers are starting to add things like ForceTLS, which will add an interface so you can tell the browser to only visit a site with SSL
Those users most likely not to notice the lock icon will not know about this, and not know for which site they'd need to set this.
and for the website to the tell the browser (for a fixed time) to visit the site only with SSL.
Many big sites use SSL only on certain pages. So either the protocol's granularity is the domain, and those sites are screwed (either can't use the feature, or incur the SSL overhead even on those pages that don't need it), or the granularity is finer (precise URL within site) and the man-in-the-middle will just set up a fake login on a URL in the domain that is not marked "SSL only".
And many large sites (Facebook, I'm looking at you) don't care about making it obvious to users that they use SSL: the default login form is on a plain HTTP page, and even though the submission URL is actually SSL, there is no easy way (short of view source) for the user to check that this is (still) the case.
Case in point: a while back, a friend of mine asked me to help him find out his estranged wife's Facebook password. He still had control over her Internet router. We set up a man-in-the-middle which just patched the Facebook login form to submit over plain HTTP rather than HTTPS, and she didn't notice anything...
Certs should be issued by the government, like passports - for a reasonable fee.
Given how far behind most governments are in technological matters, these certificates would be supplied on hardware dongles for which only a 16-bit driver for Windows 3.11 is available. And the fee would only become reasonable after the population ignored the scheme for 2 years.
And specs would be closed to anybody, except to those who volunteer to give the phat sysadmin of the CA some sexual favours, and even then they'd be far from complete...
So, be careful what you wish for! These stains are very hard to clean off the back seat of your car.
That's why telnet is better than SSH.
On first connection to a given server does provide the server key's fingerprint, which you can (and should) verify against a reference obtained out of band.
And if ever the server's key changes later on, the client will warn you very loudly about it.
So ssh does give you some assurance that you are talking to the server you think you should be talking to.
Of course, somebody could still have rooted the server, or the server admin himself could be shady, but to protect against these is not the purpose of the certificate (even though it is frequently misunderstood as such).
Encrypted, but not verified -- secure against passive listening, but not against MITM, no certificate needed, not even a self-signed-one.
You mean, with a public/private key pair generated completely on the fly?
(a self-signed certificate is pointless anyway, it's a digital document saying "I'm mr X, honest, because I say so", which is a null statement really)
It's still useful, because the browser will warn you whenever it changes, like is the case with ssh.
With a self-signed certificate, you will get a warning the first time (and you get the opportunity to manually double-check the fingerprint against a reference obtained out-of-band), and from then on no warning until it changes (which will raise red flags if there was no good reason for such a change).
With a public/private key generated on the fly, you'd see a change on each visit.
the exception you are required to add ALSO changes the security mode used for Javascript!
Oops, that's bad!
Firefox, why are you doing such nonsense? It's already annoying enough that SSL has the side-effect of messing with browser history, but this really takes the cake! All an attacker would have to do is to make his (gaming, forum, phun, ...) site an SSL site (... with a deliberately bad certificate), and suddenly he gets handed the keys to the kingdom!
I really can't understand what's so wrong with temporary exceptions...
... especially since temporary (only for this session) exceptions used to be possible in older versions of Firefox.
Sure, if the domains don't match you don't have verification, but the communication is still encrypted, and if you happen to control both ends of the exchange, that's all you need.
Nope, you'd also need to control the middle. Or else the middle might pretend to be the server to the client, and pretend to be the client to the server, negotiating a different session key with each, and none of the client or server would be the wiser.
So client or server need a way to make sure to verify that they are indeed directly speaking the the server, without anybody in the middle listening in. Such verification can be done either via an additional secure channel (client knows server's public key beforehand) or via a trusted third party that sign's the servers' public keys.
. this is the same as saying "I have just tossed a 10 pence coin and it has come up heads, what is the probability that another coin toss will come up heads?"
Nope, it is equivalent to "I have just tossed a 10 pence coin twice, and I tell you that it has come up heads at least once, what is the probability that it has come up heads twice".
The 2/3 vs 1/3 probability hinges on the fact that the ordering of the kids is not defined.
If the kid's father told you "my oldest child is a boy", then you would be right.
Unfortunately, any defined order can play that role ("the first of his kids that I met in person", "the first of his kids that he mentioned", ...), which makes this problem so hard to grasp. Depending on exactly in which context he mentioned that one of his kids was a boy may change the probability of the other being a boy too from 1/2 to 1/3 or any value in between.
but really this seems to me more like her milking her dead husband.
Yeah, the good old times of Windows 95 and the Rolling Stones...
My God, in those post-fall-2008 days, how foolish can a bank be to chase customers away in this manner? Let Darwin take over, and let's hope they won't get a "too big to fail" bailout. They don't deserve it.
If you hold stock in Chase, now is the time to sell. And if you don't, but want to make a quick buck, now is the time to short it.
If you have any body onload scripts, then they will wait for the entire page to load... including google analytics that are at the very bottom.
And if I see flash it's a damn good indication I just don't care what's on the site.
Except for games...
So if a crime is committed somewhere, it will be relatively easy to check whether any of the paroled felons were in the vicinity when it happened.
So, deterrence factor against committing further crimes will still exist.
Physical newspapers are inconvenient because of their wide format.
Fixed that for you. Think about your seat-neighbor on the bus or train.
Environmental protesters must not destroy oil rigs
... but petrol companies can...
You know, Apple just wants to protect the user from malicious apps such as your iScale app...
Headphones
Brilliant! Only nitpick: The hands are positioned a little bit too low for the apple logo.