Quantum Cryptography is established real technology. It's not particularly *useful*, but it's real.
You won't have gaping security holes in the last mile if you buy this stuff - it's designed to work on end-to-end dark fiber. You'll still need crypto for other reasons, and you'll still have gaping holes inside your wiring closets, but last mile won't be a problem. The range of the system is 120km, so if you're trying to connect buildings together that are farther apart than that, you do have a physical security problem you'll need to manage at your repeater locations.
This won't increase your phone bills unless you buy it. It's not a system designed for carriers to put in their network backbones - it's designed for an end-user customer to buy dark fiber service between a pair of buildings and put these boxes on the ends. The carriers generally charge a pile of money for that kind of service, and the more people buying it, the better their economies of scale, so if you're a consumer who's not buying this, that's slightly positive for you.
The carriers won't need to pay them with quantum money - the end customers will need to pay in real money...
Oh, it's definitely design, even though 95% of the time that the machine hibernates it's because I've taken it somewhere with me (the rest of the time it's because it's run out of battery when I wasn't near an electric socket), and even though I work at home almost all the time and therefore don't need the $%%^&$^% 10-minute screen-saver timeout either.
The fact that the machine sometimes doesn't shut down because the VPN client is busy telling me "the VPN's down because your internet connection went down because your wireless card doesn't have power, is this ok?" isn't by design, though:-)
There are occasional delays in restart because I sometimes have to wait for the machine to wake up and give a password to the screensaver before I can get to the wireless settings, either because I'm at one of my customers where some of their wireless networks permit VPNs and some don't, or because the aether is blowing the wrong direction and my laptop's picking up my neighbor's access point instead of mine.
It's possible to get spyware infesting your OS that does this, but most of the popups have been browser weaknesses/features, not OS weaknesses. Linux doesn't encourage you to use IE the way Windows does, and Windows doesn't go out of its way to get you to use Konqueror, and the kind of people who click "Yes" on any dialog box offering to upgrade their browser are more likely to be Windows users, so there's a bit of correlation, but it's mainly a browser problem.
I'm using an older Mozilla version and haven't gotten around to upgrading to Firefox 2 yet, and my work PC doesn't let me have the administrative privileges to add to the hosts file, so I occasionally see popups from Vonage or yieldmanager or a couple of Indian sites; I think they're probably using Javascript tricks to pop themselves up.
For the most part, disk capacities have been increasing faster than the Moore's Law double-in-18-months for the last few years. I stopped caring about disk capacity somewhere around the time 6GB drives got replaced by 20GB drives which got replaced by 120GB drives over about 2-3 years, each at under $100/drive. (Then I got BitTorrent and started downloading lossless-compression music, so I temporarily had to pay attention again:-)
My first Vax, 22 years ago, had 1GB of disk, in the form of four washing-machine-sized drives which used removable 250MB disk packs. The drives cost about $120K total, and the packs were about $1000 each. There isn't really an exact comparison to that combination; you could either look at DVD-RW ($40 for the drive, $0.50 for the disks, so 8-12000x the price/capacity), or amortize the drive across some number of packs to compare to fixed disks (e.g. 10 packs per drive would be $160K for 10GB, though I think we only bought about 3 packs per drive over before that machine was obsolete), or you could make some unbalanced comparison like $20 for a CF-to-USB adapter and $20/GB for Compact Flash cards, which would be a mere 200:1 on the removable media but 6000:1 for the "drive".
My Thinkpad is running Windows XP Pro. I normally have it set to sleep if I close the lid, and hibernate if it's been sleeping for more than 3 hours. Sleep uses a bit of power, but it wakes up very quickly, normally just a few seconds. Hibernate takes longer, and is less reliable - maybe 10-20% of the time it fails to start correctly (e.g. keyboard drivers don't wake up or other random weirdness that forces me to reboot), and I find that if it's been hibernating, I should be sure to give it time to wake all the way up, i.e. get coffee.
The big delay in returning from either of these modes is waiting for wireless 802.11g internet connection to wake up and set all its parameters correctly, get an IP address from the WAP, etc. If I know I'm going into my office, I can avoid that by turning off the wireless before closing the lid, and Ethernet is finally smart enough to just ask for DHCP every time it gets connected or wakes up.
The other issue I have is that I normally use a VPN to connect to work, and the VPN tunnel doesn't like getting shut down and restarted, especially with a different IP address, so I still have to re-authenticate by typing in my security token code to the VPN client.
Biodiesel is a great way to get rid of used oil from restaurants, but it doesn't scale beyond the amount of oil that restaurants use. With used oil, the resource is not only free, but it's eliminating an environmental cost, and eliminating any disposal cost the restaurant would have to pay. I don't know how often you eat French fries, but basically it's only going to power small fraction of the cars and trucks in the world.
With *new* oil, you need to look at the costs, both financial and environmental, of producing the oil. Corn is a heavily subsidized crop in the US, and the corn industry owns lots of politicians, and corn farmers would like to have more markets for their crops, but basically it's not a very energy-efficient way to produce oil, and if the farmers are using fertilizer on their crops, it's generally a big net loss - corn plants mostly produce leaves and stalks, and the seeds are mostly starch, and the oil's a small fraction of the energy that went into the plant. Oily seeds such as soybean, canola, peanuts, and sunflowers are better, but it's not clear that even those are a big win, and certainly converting a significant fraction of the US's oil usage to those oils would require ecologically challenging amounts of land.
Yes, yards and meters are different, but by less than 10%. RFID range is highly unlikely to be that precise - it's going to depend on angles, speeds, battery age, dirt, equipment sensitivity. If you care about the answer, either because you've stolen a car or because you don't want your government tracking everywhere everybody in your country goes, or because you don't want advertisers or burglars easily tracking cars, you know they can nail you at around that distance.
At least this isn't like the US RFID passport ranges, where they're blatantly lying about "oh, the range is only a couple of inches", because that's what they use for the passport-control officers' readers, when in reality there are more sensitive readers that can read them from 10 yards or meters away, and not only can identity thieves use them, but the government can also use them for whatever creative illegal tracking they come up with.
AFAICT, a lot of that spam has images in it, which display the actual pump&dump stock scam or 1-800-NIGERIAN-LOTTERY phone number or whatever, and your ISP or email client is discarding that part. Some of it's also viruses, but the image spam is the new popular technique for stock spam, and the random text is there to tell Bayesian filters that it passes the Turing test.
Your comment about the site not running RDNS is appropriate - it's not always a good criterion for spamminess, especially in the context of servers that send mail for multiple domains from a single IP address, but it's pretty commonly used in spam blockers, and does give you a certain minimum level of accountability and technical competence for sites that are sending mail.
However, the fact that the domain isn't using SPF or DomainKeys shouldn't be used in any decision about whether email from there is spam. Those tools are used to detect forgeries, and forgeries are often spam or worse, but there's no reason to expect that a site not using SPF is a spammer, or that a site using SPF is not a spammer, and in fact many spammers go out of their way to set their domains up for SPF to trick people who think otherwise.
Of course, if the problem is that your Bayesian filter thinks that your MP's speeches about how he's going to provide lots of government jobs for his district and scholarships to help YOU get a university degree and that the lottery is providing lots of jobs for Nigerian immigrants and such is all bogus, well, you'll either have to upgrade your filters or your MP...
Bill Gates's latest marketing strategy is to prevent spam and other junk email by paying $200 to anybody who agrees never to buy anything from a spammer!
Pump&dump stock scams *do* attack the sucker in the wallet, though perhaps not as painfully as poisoned fake pills do. After all, the spammer is making money by buying the worthless stock for cheap and selling it at a higher price to the enthusiastic suckers, who then have to try to sell of their worthless wallpaper to each other. Some of the suckers might make money selling to other suckers, but most of them are going to lose a bunch of money. Now, losing a bunch of money might not teach them as much of a lesson as dying, especially because they were obviously stupid to start with, but after they lose a couple of times they might get the hint.
Unfortunately, there's another sucker born every minute, and two to take him.
[Insert usual checklist about why your suggestions won't work.]
For traditional spam, if a US-based spammer is selling Nigerian Herbal Viagra out of his double-wide and mailing it to the suckers directly, you can trace that kind of stuff directly and maybe stomp on them, and maybe you can get past the retail spammer to get to their wholesalers, if they haven't found some obvious cut-out to protect themselves. (And with Nigerian 419 scams, the scammer does have a bank account with $29 million, but alas, it's in some country where the US doesn't have jurisdiction:-)
But pump&dump stock scams are different. The sucker isn't buying the stock from the person who sent the email - they're buying a publicly traded stock on the open market (yeah, right...) The people selling the stock aren't spammers - they're "innocent" investors who thought the stock looked like it had real potential, or maybe they even got a hot stock tip on the net and decided to buy it, just like the other suckers are. It might sometimes be possible to prove they were involved, but it's unlikely and difficult, though there's enough regulation in the stock market that sometimes you can bust them for stock fraud as opposed to for spamming.
So there are two obvious questions - why is that scam suddenly more popular, as opposed to Nigerian Herbal Viagra or whatever, and why is more of it getting through spam filters? Part of the reason probably has to do with which Mafias or rednecks or zombie herders or other miscreants are trying to make money these days, but a big technical issue is that Pump&Dump Stock Scams don't require the sucker to contact the spammer - they buy the stock through Schwab/ETrade/etc. So the spammer doesn't need to send the message from a working reply-capable email address, and doesn't have to provide a clickable URL or human-typable URL, because all the sucker needs to know is the stock symbol WXYZ and what exchange it's on. This means that the spammer can send things like an image with minimal text for the spam filters to filter on, and can send them from random zombies or email servers, and if they use inline images, they can avoid using a URL that's blacklistable (or alternatively, host the image on a random zombie.)
During the days the Grateful Dead were touring and most of us had analog tape equipement, the standard way that music was passed around was to make analog copies of analog tapes - if you were lucky you got a 3rd-generation copy of an original from somebody who got a direct feed from the friendly soundboard engineers, and if you were unlucky all you could find was a 6th-generation copy made on cheapass equipment from somebody with bad mikes in the taper section of the audience next to a guy who was yelling a lot.
Once digital recorders became widely available and we started moving this stuff into the computer environment, it was possible to do lossless coding using Shorten or later FLAC, or you re-create the authentic taper experience by getting a 128kbps MP3 file converted from some other format using a lousy compression program, thus the popularity of passing around lossless copies and doing any lossy compression for your own music player only.
Jerry's been gone these last 11 years, but there are a number of other bands that tour and allow tapers, and there's a lot of concert material available. Bittorrent makes it fairly practical to actually distribute files online now, and sites like e-tree.org are big on this technology.
Microsoft Netmeeting has been around since Win95osr2, and its successors are still supported. It wasn't a stunning product, but it had basic functionality, ran standards-based H.323, and was free. Cameras cost $29 these days, if you don't get them free with your breakfast cereal. Take one of those PCs that won't support Vista and fire it up in the conference room...
I guess there may be some older Macs that have USB1.x and Firewire, but most systems these days have USB2, and if you've got that, you might as well use it for external disks. For a USB flash stick, backing up to internal disk is probably fine, but for backing up the internal disks, there's a lot to be said for external drives on USB (or Firewire).
External disks have a separate power supply, so if you lose the internal drive because of bad power, the external is usually still safe.
External USB/FW drives have their own controllers, so if you lose the internal drives because your disk controller fried or your RAID controller scribbled the disks they're probably still safe, even if they're plugged in.
External drives are often unplugged, so if you lose the internal data because some software scribbled the disk or a user did something really stupid, the data's probably still there. You might even get lucky and dodge a virus attack, though that's harder, and USB drives are more likely to get plugged into different machines at different times, making it easier to propagate viruses.
The big risk with AJAX isn't that it introduces new vulnerabilities that Javascript doesn't have, or that good Javascript writers can't write good safe Javascript. The big risk is that evil Javascript writers can write harmful Javascript, and good AJAX web pages dangle something shiny in front of the user that makes them turn Javascript on at all, so when they also view the evildoers' web pages, they're running the harmful Javascript.
It is of course possible for well-intentioned Javascript or AJAX writers to write insecure code, which can be attacked either by the end user or possibly by cross-site scripting attacks, and the author of the article offers some good advice about how to prevent and manage those risks. IMHO, it's really really nice to hear somebody today offering up the same basic advice I learned when I first took programming in college 30 years ago, which is to never ever trust input from users. Any kind of scripting that runs in the browser offers more opportunities for a programmer to trust the end users - for instance, one of Javascript's big uses has always been to validate input fields in forms before submitting them to the web server, and while that can often help users who accidentally put incorrect types of information in forms, or forget to fill out fields you want, it's no protection against a malicious user trying to send malformed data to your application. AJAX gives you some more tools for trusting users (:-), as well as more tools to validate input from users because of the structure imposed by XML. And of course it's also possible for malicious users to abuse old-fashioned simple web forms, especially if the programmer isn't careful about validating form contents for safety before handing them to any applications.
Most of the popular browsers give the user some granularity in managing what kinds of scripting you'll accept from what sites, so in theory it's not as dangerous as just turning on the big red kick-me switch like on earlier browsers (or Netscape 2, which didn't even give you a choice.) But in practice the tools aren't that friendly, and the vast majority of users aren't going to use them successfully.
For some reason, some iPod models get grouchy about plugging into computers that don't want to talk iTunes and aren't set up to accept them as a disk drive, even if all you're trying to do is suck down USB battery power. You can get an overpriced iPod charger that doesn't have this problem.
Or you can get a powered USB hub for about $10, and if you don't plug it into your computer, the iPod's happy. USB 1.1 hubs have become really cheap now that USB2 is out, and for low-speed devices like mice, keyboards, and DC power they work just fine.
My old Nokia phone supported a simple cheap charger cable with USB on one end and the phone's power connector on the other. No brick, no wall wart, uses a laptop for power, and the phone could run a long time even if I couldn't plug in the laptop, and any time I was going anywhere for business, I'd have the laptop and didn't need more clunky parts in the laptop bag (the USB-powered Ethernet hub also rocked.)
Unfortunately, my next Nokia phone couldn't use it, because it needed more amperage or some other undocumented quality. Now that I've got a cretinously stupid Motorola phone, I'll have to see if I can find the cable again.
Watch out for leftover jaggedy fragments of atoms. And if CERN gets involved, there may be some technology spinoffs about displaying mixtures of pictures and text on the Internet.
If your definition of "without breaking anything" is "changing the underlying data conversion semantics in ways that can sometimes be implemented by changing a library but sometimes require A Simple Matter of Programming to modify the application, at a cost of relinking or recompiling every piece of software that uses DNS and then doing regression tests on it", then yes, I suppose it addresses the problem:-)
But the issue is not just user interfaces, unless you're including "make humans type punycode" as part of your solution - you're changing the semantics from a 2-step process to a 3-step process, and it's not always obvious whether the correct semantics include doing the middle step or not, especially in the reverse direction. There are some default decisions that you can implement in libraries that maintain the current programming interface that can usually do the right thing, but sometimes you may need to change the API.
If we could wait to solve this problem until we were converting everything to IPv6, it would simplify things, because IPv6 usually requires changing all your programs and libraries anyway, but unfortunately it's not that simple.
More precisely, DNS is supposed to be case-insensitive and case-fold requests when appropriate. For IDN purposes, the important issue is that one 8-bit byte may get transformed to a different 8-bit byte, which is fine for 7-bit ASCII characters and usually wrong for bytes that represent half of a 2-byte Unicode character. The fact that the transformation can also be implemented by a bitmask is an implementation detail that's not really in the DNS standards, but it does mean that there are bytes with values 128-255 (such as ISO-LATIN-1 bytes or halves of 2-byte Unicode) that might be undamaged by a lookup table implementation but would be damaged by a bitmask implementation.
As you say, the character set is limited to the subsets that were widely supportable on machines in common use in the early 80s - but it's still exactly designed to be human-readable (abbreviations of) natural-language text, just as the machine charcter sets were. If they weren't trying to do that, numerical IP addresses were just fine.
And while people in the networking infrastructure business know that IP addresses used for switching are implemented in high-performance ASICs and other tuned hardware environments (which does not, alas, perform very well yet for IPv6 on most platforms), I'm rather puzzled about your assertion about domain name comparisons being implemented in hardware. It's mostly BIND and djbdns and a couple of other packages, and while there are "DNS appliances", they're either vanilla PC hardware 1U servers with the appliance-maker's logo on the front, or else they're variants of Unix-on-a-Stick general-purpose computers (possibly with ARM or MIPS instead of x86.) I haven't seen anybody doing a DNS server based on ASICs or FPGAs, and I don't see how it would be a particular win, either for performance (because DNS needs big memory caches, which aren't a good hardware match) or for reliability (because you need really trustable software to manaage the databases, so you'd be using a Unix or possibly WinNT backend even if you had some kind of accelerator widget front-end.
I agree with you about not using writeable media on dangerously untrustable systems, so your virus-cleaners and similar tools need to be read-only. There *are* some write-protectable flash drives these days - I think I've mainly seen them as Compact Flash, so you'd need a USB CF-card reader, but those are trivially cheap. However, CDROM media is basically free, and the person whose machine needed cleaning probably needs to have you leave them a copy:-)
You won't have gaping security holes in the last mile if you buy this stuff - it's designed to work on end-to-end dark fiber. You'll still need crypto for other reasons, and you'll still have gaping holes inside your wiring closets, but last mile won't be a problem. The range of the system is 120km, so if you're trying to connect buildings together that are farther apart than that, you do have a physical security problem you'll need to manage at your repeater locations.
This won't increase your phone bills unless you buy it. It's not a system designed for carriers to put in their network backbones - it's designed for an end-user customer to buy dark fiber service between a pair of buildings and put these boxes on the ends. The carriers generally charge a pile of money for that kind of service, and the more people buying it, the better their economies of scale, so if you're a consumer who's not buying this, that's slightly positive for you.
The carriers won't need to pay them with quantum money - the end customers will need to pay in real money...
The fact that the machine sometimes doesn't shut down because the VPN client is busy telling me "the VPN's down because your internet connection went down because your wireless card doesn't have power, is this ok?" isn't by design, though
There are occasional delays in restart because I sometimes have to wait for the machine to wake up and give a password to the screensaver before I can get to the wireless settings, either because I'm at one of my customers where some of their wireless networks permit VPNs and some don't, or because the aether is blowing the wrong direction and my laptop's picking up my neighbor's access point instead of mine.
I'm using an older Mozilla version and haven't gotten around to upgrading to Firefox 2 yet, and my work PC doesn't let me have the administrative privileges to add to the hosts file, so I occasionally see popups from Vonage or yieldmanager or a couple of Indian sites; I think they're probably using Javascript tricks to pop themselves up.
My first Vax, 22 years ago, had 1GB of disk, in the form of four washing-machine-sized drives which used removable 250MB disk packs. The drives cost about $120K total, and the packs were about $1000 each. There isn't really an exact comparison to that combination; you could either look at DVD-RW ($40 for the drive, $0.50 for the disks, so 8-12000x the price/capacity), or amortize the drive across some number of packs to compare to fixed disks (e.g. 10 packs per drive would be $160K for 10GB, though I think we only bought about 3 packs per drive over before that machine was obsolete), or you could make some unbalanced comparison like $20 for a CF-to-USB adapter and $20/GB for Compact Flash cards, which would be a mere 200:1 on the removable media but 6000:1 for the "drive".
The big delay in returning from either of these modes is waiting for wireless 802.11g internet connection to wake up and set all its parameters correctly, get an IP address from the WAP, etc. If I know I'm going into my office, I can avoid that by turning off the wireless before closing the lid, and Ethernet is finally smart enough to just ask for DHCP every time it gets connected or wakes up.
The other issue I have is that I normally use a VPN to connect to work, and the VPN tunnel doesn't like getting shut down and restarted, especially with a different IP address, so I still have to re-authenticate by typing in my security token code to the VPN client.
Sure, it's kind of trite, and it's no substitute for having a better-designed OS with better-designed apps and hardware, but it really does help.
With *new* oil, you need to look at the costs, both financial and environmental, of producing the oil. Corn is a heavily subsidized crop in the US, and the corn industry owns lots of politicians, and corn farmers would like to have more markets for their crops, but basically it's not a very energy-efficient way to produce oil, and if the farmers are using fertilizer on their crops, it's generally a big net loss - corn plants mostly produce leaves and stalks, and the seeds are mostly starch, and the oil's a small fraction of the energy that went into the plant. Oily seeds such as soybean, canola, peanuts, and sunflowers are better, but it's not clear that even those are a big win, and certainly converting a significant fraction of the US's oil usage to those oils would require ecologically challenging amounts of land.
At least this isn't like the US RFID passport ranges, where they're blatantly lying about "oh, the range is only a couple of inches", because that's what they use for the passport-control officers' readers, when in reality there are more sensitive readers that can read them from 10 yards or meters away, and not only can identity thieves use them, but the government can also use them for whatever creative illegal tracking they come up with.
AFAICT, a lot of that spam has images in it, which display the actual pump&dump stock scam or 1-800-NIGERIAN-LOTTERY phone number or whatever, and your ISP or email client is discarding that part. Some of it's also viruses, but the image spam is the new popular technique for stock spam, and the random text is there to tell Bayesian filters that it passes the Turing test.
However, the fact that the domain isn't using SPF or DomainKeys shouldn't be used in any decision about whether email from there is spam. Those tools are used to detect forgeries, and forgeries are often spam or worse, but there's no reason to expect that a site not using SPF is a spammer, or that a site using SPF is not a spammer, and in fact many spammers go out of their way to set their domains up for SPF to trick people who think otherwise.
Of course, if the problem is that your Bayesian filter thinks that your MP's speeches about how he's going to provide lots of government jobs for his district and scholarships to help YOU get a university degree and that the lottery is providing lots of jobs for Nigerian immigrants and such is all bogus, well, you'll either have to upgrade your filters or your MP...
Send this email to all your friends, and register at http://stopspammers.microsoft.com/$200.html to get your $200 today!!
Unfortunately, there's another sucker born every minute, and two to take him.
For traditional spam, if a US-based spammer is selling Nigerian Herbal Viagra out of his double-wide and mailing it to the suckers directly, you can trace that kind of stuff directly and maybe stomp on them, and maybe you can get past the retail spammer to get to their wholesalers, if they haven't found some obvious cut-out to protect themselves. (And with Nigerian 419 scams, the scammer does have a bank account with $29 million, but alas, it's in some country where the US doesn't have jurisdiction
But pump&dump stock scams are different. The sucker isn't buying the stock from the person who sent the email - they're buying a publicly traded stock on the open market (yeah, right...) The people selling the stock aren't spammers - they're "innocent" investors who thought the stock looked like it had real potential, or maybe they even got a hot stock tip on the net and decided to buy it, just like the other suckers are. It might sometimes be possible to prove they were involved, but it's unlikely and difficult, though there's enough regulation in the stock market that sometimes you can bust them for stock fraud as opposed to for spamming.
So there are two obvious questions - why is that scam suddenly more popular, as opposed to Nigerian Herbal Viagra or whatever, and why is more of it getting through spam filters?
Part of the reason probably has to do with which Mafias or rednecks or zombie herders or other miscreants are trying to make money these days, but a big technical issue is that Pump&Dump Stock Scams don't require the sucker to contact the spammer - they buy the stock through Schwab/ETrade/etc. So the spammer doesn't need to send the message from a working reply-capable email address, and doesn't have to provide a clickable URL or human-typable URL, because all the sucker needs to know is the stock symbol WXYZ and what exchange it's on. This means that the spammer can send things like an image with minimal text for the spam filters to filter on, and can send them from random zombies or email servers, and if they use inline images, they can avoid using a URL that's blacklistable (or alternatively, host the image on a random zombie.)
Once digital recorders became widely available and we started moving this stuff into the computer environment, it was possible to do lossless coding using Shorten or later FLAC, or you re-create the authentic taper experience by getting a 128kbps MP3 file converted from some other format using a lousy compression program, thus the popularity of passing around lossless copies and doing any lossy compression for your own music player only.
Jerry's been gone these last 11 years, but there are a number of other bands that tour and allow tapers, and there's a lot of concert material available. Bittorrent makes it fairly practical to actually distribute files online now, and sites like e-tree.org are big on this technology.
Microsoft Netmeeting has been around since Win95osr2, and its successors are still supported. It wasn't a stunning product, but it had basic functionality, ran standards-based H.323, and was free. Cameras cost $29 these days, if you don't get them free with your breakfast cereal. Take one of those PCs that won't support Vista and fire it up in the conference room...
It is of course possible for well-intentioned Javascript or AJAX writers to write insecure code, which can be attacked either by the end user or possibly by cross-site scripting attacks, and the author of the article offers some good advice about how to prevent and manage those risks. IMHO, it's really really nice to hear somebody today offering up the same basic advice I learned when I first took programming in college 30 years ago, which is to never ever trust input from users. Any kind of scripting that runs in the browser offers more opportunities for a programmer to trust the end users - for instance, one of Javascript's big uses has always been to validate input fields in forms before submitting them to the web server, and while that can often help users who accidentally put incorrect types of information in forms, or forget to fill out fields you want, it's no protection against a malicious user trying to send malformed data to your application. AJAX gives you some more tools for trusting users (:-), as well as more tools to validate input from users because of the structure imposed by XML. And of course it's also possible for malicious users to abuse old-fashioned simple web forms, especially if the programmer isn't careful about validating form contents for safety before handing them to any applications.
Most of the popular browsers give the user some granularity in managing what kinds of scripting you'll accept from what sites, so in theory it's not as dangerous as just turning on the big red kick-me switch like on earlier browsers (or Netscape 2, which didn't even give you a choice.) But in practice the tools aren't that friendly, and the vast majority of users aren't going to use them successfully.
Or you can get a powered USB hub for about $10, and if you don't plug it into your computer, the iPod's happy. USB 1.1 hubs have become really cheap now that USB2 is out, and for low-speed devices like mice, keyboards, and DC power they work just fine.
Unfortunately, my next Nokia phone couldn't use it, because it needed more amperage or some other undocumented quality. Now that I've got a cretinously stupid Motorola phone, I'll have to see if I can find the cable again.
Watch out for leftover jaggedy fragments of atoms. And if CERN gets involved, there may be some technology spinoffs about displaying mixtures of pictures and text on the Internet.
But the issue is not just user interfaces, unless you're including "make humans type punycode" as part of your solution - you're changing the semantics from a 2-step process to a 3-step process, and it's not always obvious whether the correct semantics include doing the middle step or not, especially in the reverse direction. There are some default decisions that you can implement in libraries that maintain the current programming interface that can usually do the right thing, but sometimes you may need to change the API.
If we could wait to solve this problem until we were converting everything to IPv6, it would simplify things, because IPv6 usually requires changing all your programs and libraries anyway, but unfortunately it's not that simple.
More precisely, DNS is supposed to be case-insensitive and case-fold requests when appropriate. For IDN purposes, the important issue is that one 8-bit byte may get transformed to a different 8-bit byte, which is fine for 7-bit ASCII characters and usually wrong for bytes that represent half of a 2-byte Unicode character. The fact that the transformation can also be implemented by a bitmask is an implementation detail that's not really in the DNS standards, but it does mean that there are bytes with values 128-255 (such as ISO-LATIN-1 bytes or halves of 2-byte Unicode) that might be undamaged by a lookup table implementation but would be damaged by a bitmask implementation.
And while people in the networking infrastructure business know that IP addresses used for switching are implemented in high-performance ASICs and other tuned hardware environments (which does not, alas, perform very well yet for IPv6 on most platforms), I'm rather puzzled about your assertion about domain name comparisons being implemented in hardware. It's mostly BIND and djbdns and a couple of other packages, and while there are "DNS appliances", they're either vanilla PC hardware 1U servers with the appliance-maker's logo on the front, or else they're variants of Unix-on-a-Stick general-purpose computers (possibly with ARM or MIPS instead of x86.) I haven't seen anybody doing a DNS server based on ASICs or FPGAs, and I don't see how it would be a particular win, either for performance (because DNS needs big memory caches, which aren't a good hardware match) or for reliability (because you need really trustable software to manaage the databases, so you'd be using a Unix or possibly WinNT backend even if you had some kind of accelerator widget front-end.
I agree with you about not using writeable media on dangerously untrustable systems, so your virus-cleaners and similar tools need to be read-only. There *are* some write-protectable flash drives these days - I think I've mainly seen them as Compact Flash, so you'd need a USB CF-card reader, but those are trivially cheap. However, CDROM media is basically free, and the person whose machine needed cleaning probably needs to have you leave them a copy :-)