[Shopping for a computer by visiting an online store using a public library computer is unsafe because of a possible] Key logger?
It should be possible to confuse a key logger. Type a bunch of garbage digits mixed in with the credit card number, use the mouse to click after the garbage digits, and press backspace. For further obfuscation, use the mouse to click back and forth among fields likely to contain a lot of digits, such as the credit card number, expiration date, and signature panel number.
While what you say is true, remember that we were referring to someone ordering his/her first computer online. Such a person would not be familiar with such obfuscation techniques. Even for someone familiar with computers, if s/he knows enough to use these keylogger-confusion schemes, s/he would likely just skip the hassle and order from home.
Your argument would be valid for a geek who, for whatever reason, couldn't do it from home (e.g. computer broke down, needs to order new one). Even then, wouldn't it be faster to order it over the phone?
Besides, how did the attacker even get a key logger onto a computer owned by a library? Let's analyze that part of the attack model too.
I did my homework on this one, so here's your answer:
The librarian.
Unfettered access to the computer after hours, trusted by the staff --hey, for someone unscrupulous, it would be pretty profitable to download some keylogger off the net and install it.
If the librarian is not computer savvy, then maybe it's someone the librarian trusts. Maybe the librarian's nephew, who says, "Hey, Auntie, I can help you fix up the computer to make it more organized and easier to use." And then after half an hour of installing a keylogger (while the librarian busies herself reshelving books), the nephew turns on the Bigger Fonts option and says, "Look, now your elderly library patrons can read more easily." The librarian says, "Such a smart boy!" and the nephew starts harvesting passwords and social security numbers.
Or it could even be just some guy who can install a keylogger given enough time, say two hours. But the library only allows patrons to use the computers for fifteen minutes. But this really pitiable young fellow, who shows up to volunteer at the library and really helps out, says, "I need the computer for two hours to compose my resume and look for a job. Please please please??" and the librarian makes an exception. You know computers are defenseless against someone with physical access to the machine. If the chassis is locked down and there's no bootable CD-ROM drive in the computer, the evil hacker reboots into BIOS and sets the computer to boot first from the USB port, then unplugs the USB mouse and plugs in his USB flash drive with STD-Knoppix or something, installs the MS Windows rootkit, puts all the hardware back the way it was, and then reboots the computer, and everything looks fine, except that suddenly files starting with $SYS$ are suddenly invisible.
Way too many points of attack. While you're right that a skilled geek could form a Tunnel of Pretty Good Security against this, I'd rather just use my own computer.
Like that Dellbuntu notebook that I'm drooling over.
In the case of someone who uses a public library computer to access Dell's SSL site to buy a computer, are you concerned that an attacker might intercept the credit card number? If so, what approaches would the attacker use?
I thought I should hang back and let others do the initial buying, to see how well this works out and whether the hardware crashes and burns. But if everyone did that, then nobody would buy because no one would want to be first. Since I've been looking forward to getting a Linux notebook, I think it should be okay for me to be one of the first "tryer-outers". Also, hopefully this venture of Dell's into Ubuntu will be high-profile enough that if I encounter any problems, I'll scream and shout that I'm going to post about my problems on Slashdot, and then Dell shall suffer the wrath of Slashdot!!</voice> and they'd be more willing to fix it.
In addition to the basic notebook at $599, I decided to upgrade the memory from 512MB to 2GB (+$200), since it's probably the most precious commodity around; if I try to upgrade later, say in 2 years, some new memory standard will probably have come out and I won't be able to find the proper chips.
I figured I'd upgrade the hard drive, too, from 80GB to 160GB. I had thought I would upgrade the 2.5" HDD myself, but it comes with a SATA hard drive, and I've only worked with PATA hard drives[1]. Anyway, that's another +$125 for the HDD upgrade.
My third upgrade is for the DVD burner. The original price comes with a CD burner/DVD-ROM drive, but I've always had problems with Linux and DVD burning --my Kubuntu box has the LITE-ON DVD DL burner, and so far I've had to power up our Win2k box to burn DVD's. For +$40, I'm happy to get the DVD DL burner, and I want to see if K3b will let me burn all 8GB+ onto a DL DVD. Would be sweet if I could.
The only thing I don't like is the screen size. I don't care about widescreen[2], and you can't directly compare diagonal screen sizes of 16:9 (widescreen) screens with 4:3 (conventional) sizes, so I converted. The diagonal of a 16:9 screen is 1.22 times as long as a 12:9 (that is, 4:3) screen for the same height, so I divided the 15.4" diagonal length of the widescreen by 1.22 to get 12.6". So I'm really getting a 12.6" screen, except it's wider. That's tiny. The ThinkPad that my work gives me is 15" (4:3 aspect, same screen height as 18.3" widescreen) and I don't think it's big enough. Well, at least the small screen size makes the laptop smaller and portable.
By the way, what the heck is "TrueLife (glossy)"? I have the option to have it or not have it for my screen, at the same price, but it sounds like a load of MarketSpeak.
So, anyway, here's my system, cut&pasted from the Dell page:
Intel® Pentium® dual-core proc T2080(1MB Cache/1.73GHz/533MHz FSB Ubuntu Edition version 7.04 15.4 inch Wide Screen XGA Display with TrueLife(TM)(glossy) 2GB Shared Dual Channel DDR2 SDRAM at 533MHZ, 2 DIMM 160GB 5400 RPM SATA Hard Drive 8X CD/DVD Burner (DVD+/-RW) with double-layer DVD+R write capability
53 WHr 6-cell Lithium Ion Primary Battery Intel PRO/Wireless 3945a/g
1Yr Ltd Warranty and Mail-In Service Recycling Kit and Plant a Tree for Me
Intel® Graphics Media Accelerator 950 Integrated Audio Intel Centrino Core Duo Processor
I'll probably sit on this till next week, and then make the purchase. Any comments? Is this a good deal, or am I being foolish?
I'm experimenting with the Slashdot journal, so maybe I'll post stuff in my journal about how the purchase is going, and I think I can set it up so that people can post comments.
----- [1] PATA notebook drives: It's not that I'm afraid of SATA drives; it's that I've been standardizing on PATA 2.5" drives because I have a number of 2.5" notebook enclosures that, for $25, turn the internal notebook HDD into an external USB HDD that fits into my shirt pocket.
[2] widescreen: Please don't give me that crap about "But if you're screen's not wide enough, you don't see the whole movie --it will be chopped off at the left and right sides!" Well, then, just shrink the movie! I don't see anyone ever saying, "You need a 4:3 screen, because your TV show will be chopped off at the top and bottom by a 16:9 screen!"
I've been waiting for this day, so I plan to buy the Ubuntu laptop in the next week or two.
At first, the base price may be more expensive than the Windows laptop, but:
probably not by much
In the long run, the Windows laptop may be more expensive when I have to pay more for add-ons that are on the Linux Hardware Compatibility List. (You know, like buying a wireless card that works.) Even if I end up wiping the system and reinstalling some other Linux distro, I want to know that the hardware works with Linux.
Even if the add-on itself is pretty cheap, I've found that often I will end up buying a number of the cheap add-ons before I find one that's Linux compatible, so that effectively I've spent more money than actual list price (of the peripheral) to get it working. For example, I've got some webcams lying around that I ended up giving to the wife for her notebook. (She told me, "I only need one, you know...")
Most importantly, my time is valuable to me. I don't want to have to spend the time messing around with a Linux distro trying to see which video driver is going to work for me. Hey, don't get me wrong: I like tinkering just as much as the next guy, but in the meantime I want to have a working system. I'd rather tinker to see what I can make even better, rather than tinker to get something working. In the past, I have proudly emerged from the entrails of my machine saying, "Yesss! What a breakthrough! Am I a geek or what? After countless hours of Googling, downloading drivers, messing with the hardware, and writing my own script files, my computer now finally works properly!" Meanwhile, my wife's machine has worked from the beginning. Well, been there, done that; now I want to move on. I want it to just work.
The above referred to my willingness to pay more to receive a machine that works when I receive it, but I also get a future benefit by joining the critical mass that Dell creates by selling this machine. Specifically, since there is only one notebook (Inspiron E1505) from a major vendor that comes with Linux, I can be pretty sure that when someone comes out with something in the future for a notebook running Linux (say gRoadMaps or something), the author or the community will make sure it runs on that notebook. The same might not be true for some cheaper notebook with some weird chipset.
Dell responded to us as a community. We should support them, not just to reward Dell, but to show the rest of the corporate world that, yes, it is worthwhile supporting Linux. I'm not just referring to Dell's competitors, but manufacturers of Linux-INcompatible hardware (WinModems, anyone?).
You know we'll set up some Ubuntu system for the relatives so we don't have to do tech support for all their malware complaints? Well, this is the hardware equivalent. My dad's laptop is getting old and is starting not to meet his needs. If I'm happy with this Inspiron/Ubuntu package, I'll get one for my dad. Maybe then finally we can have hassle-free GPG-encrypted email and tunneled VNC for tech support. (Currently I refuse to support his Windows laptop.)
As a sibling poster noted, perhaps the Linux notebook is cheaper ($600 vs $699 for Windows?)
So, when I tally it up, it's definitely to my self-interest to get the Dellbuntu system, even if it looks more expensive at first.
Yeah, I heard the AbiWord spreadsheet is particularly good.
Yes, I think so too. (Well, Gnumeric isn't officially part of Abiword, but you know what I mean --the default spreadsheet application on the Ubuntu GNOME desktop.) I use it despite having a KDE desktop.
My previous posts have heaped enough criticism on OOo, so I won't do that here, no matter how good it might feel to vent my frustration.
What I want to do is figure out why OpenOffice is such a steaming pile of crap. Why would someone want such a slow, bloated program? Who decided it would be a good idea to turn on scripting by default? When are they going to make a decent user interface?[1] Well, I think I've figured out a few places where OOo is not like other open source software. Perhaps we could learn some lessons from this.
OSS starts out by "scratching an itch", as the wisdom goes, but OOo did not start that way. It started with StarOffice, proprietary software acquired by Sun and then open sourced. A heartfelt thank you from me to Sun, but unfortunately, open-sourcing the software has not made it better. Instead, I suspect that little pieces here and there have been added to the StarOffice code, until the software became an incongruous quiltwork that did not run smoothly. I mean, Java for some things but not others? No way to insert current date as text? (Have they fixed that in recent versions, by the way?)
Or maybe that wasn't it; instead, perhaps it was the management that dictated the features. "My daughter says MS Word has SuperMacro ScriptEnhance-o-rama," said the manager, "and I told her, OpenOffice will have it, too!"
Or maybe it was (heaven forbid) an actual developer who decided that changing the font on the main text would not change the font within a table?
I mean, it's hard to imagine that they did any sort of usability testing at all. What it does feel like is that they were trying to keep up with Microsoft Office while forgetting about the spirit of OSS.
Can someone offer insight into what happened? Because I wouldn't want that to happen to any other OSS project. (Firefox, are you listening?) Ironically, although I fear that Firefox may be starting to suffer the same feature creep as OOo, I think the best thing for OOo to do now is to take a page from the history of Mozilla: scrap the code. Mozilla did it, and it took over a year, but when they finished, it was a masterpiece that everyone could be proud of.
So, start over. Stay focused. Otherwise, people will migrate over to AbiWord. You know what, better yet, maybe OOo can send some of their developers over to the AbiWord team, and maybe KWord, too.
Aaargh, the amount of wasted talent that goes into OOo.
----- End notes: s/OpenOffice[^.]/OpenOffice.org/g --you know what I meant.
[1] "Decent user interface": they can start by not having multiple menu options share the same "underlined letter" shortcut.
Just as the situation is today. Look at the "reviews" of OpenOffice.org by various "journalists". You'll see them complaining that the formating on a document was "messed up" when they went from MS Word to OpenOffice.org back to MS Word.
Okay, if you think it's due to MS Word that OOo looks bad, try this one on for size: a document saved as ".odt" with OpenOffice.org v2 for Linux (Kubuntu) is mangled when opened in OpenOffice.org v2 for Windows (Win2k). There was no MS Word involved anywhere.
This was a document for which formatting was important: I had designed a greeting card to be printed onto thick paper and folded into quarters, so positioning was critical. I did this on my Linux box, but the printer was hooked up to the wife's box, and she only wants Windows on it. I saved the file on Kubuntu, FISh'd it over to the Win2k box and opened it, and the text formatting had screwed up, spilling over onto the next page.
If OpenOffice.org can't standardize their own document formatting, what's the point having a standard like ODF in the first place? (I finally exported to PDF in order to get it onto the Win2k box without messing it up.)
I'm grateful to Sun for all the contributions they've made to Open Source, but I have to say, OOo is a steaming pile of crap.
Okay, that was a bit too blunt, and I'm glad they have an integrated office suite with spreadsheet, presentation application, I appreciate the work they've put into this, grateful that they distribute OOo under an Open Source license, etc. etc., so let me do my best to be more subtle.
Erm, er, OpenOffice is... a steaming pile of crap.
I feel your pain. I *can* get out from the office through 443 and 80, so I'm a bit better off than you. Some ideas:
- Can you do anything at all as long as it's through Port 80? If so, try SSH'ing into Port 80 so you don't have an Apache webserver responding, but instead SSHd dropping connections. Then you can always tunnel through the SSH connection (ie. connect from you school computer to school_computer_itself:8080, but actually it's going via the SSH tunnel to home_server:8080 where your Apache server is waiting).
- Otherwise, doing SSL through Port 80 (ie. making it act like a Port 443) might give you more security, but I guess it wouldn't stop script kiddies from connecting to it.
But are you not able to change your IP address? For me, with my DSL modem, I can tell the router/modem to drop the connection, and when I reconnect a few seconds later, I've been assigned a different IP address. Not an option for you?
NORMAL USERS don't install OS's. If you install your OS, you have progressed to POWER USER. Windows "normal users" call a computer shop to reinstall their OS. I know, I'VE GOTTEN THE CALLS!
I vehemently disagree with your post, and hold up your opinion as an example of an elitist attitude that holds back easy computing for the masses, a paradigm that fortunately has been shattered by Microsoft (and others before them). Note that I have nothing against you personally, and you yourself probably hadn't been aware of a viewpoint such as mine, so think of this as a polite tap on your head with a cluestick.
Geeks have always prided themselves as being able to do things lay people couldn't, due to an increased understanding of how things work; computer geeks can, for example, install Linux, or release an IP address and reacquire a new DHCP lease. So, it would be easy to conclude that "you're not a real Power User" until you know how to go to a terminal and type "sudo dhclient -s 192.168.0.1 eth1".
But now you've fallen into the trap of defining a non-Power User by what s/he is not able to do, instead of what s/he wants to do. Within this trap, you (generic you, not personally) don't try to make things easy for non-Power Users because you assume that only Power Users would want to do those "geek things" anyway. "Why would anyone other than a Power User," you might say to yourself, "be interested in learning about the 'dhclient' command?"
Good question. Why would anyone want to learn about 'dhclient'? Why would a geek like you want to learn about 'dhclient'? Why, so that you can have more control over our Internet connections, of course, such as when you're trying to tell your recently de-hibernated computer to stop trying an old connection and reacquire a new DHCP address from the server.
Well, wouldn't a lay user also want to be able to reset a connection like that? Even someone who's not a Power User? Sure, it's a useful thing to do. So in MS Windows, you go to "Network Connections" and click on "Repair Connection", and Windows will release and reacquire a DHCP lease.
Wasn't that a feature only for Power Users? No, because it's useful for lay users, too. Previously, the complexity of the "dhclient" command limited this feature to Power Users, but it doesn't mean that lay users don't want to use it. And so, MS Windows makes this easy to use for users to do without making it of Power User complexity.
Similarly, installing Linux has previously been a Power User operation, only because it was hard to do, and not because it wasn't useful for lay people. Who wouldn't want a computer rookie to be able to install Linux, Ubuntu or otherwise, with a snap of the fingers? The rookie might be sick of viruses and MS Windows activation, and we geeks are tired of their computers being zombified. But until we realize that installing an OS is something ordinary people want, even though it has long been considered the exclusive domain of Power Users, no one is going to expend the effort to try to make it easier.
Fortunately, there are those within the OSS community who realize that it doesn't have to be this way, and have made it drop-dead easy to install Linux --or, heck, even easily run Linux from a RAM drive (what Knoppix pioneered). That is what the OP main article was driving at: the reviewer wants to see Linux easily installed for a lay user. Note that Ubuntu passed with flying colours; her two complaints (desktop fonts and OpenOffice.org) were not related to installation, although she got worried about her Win2k partition being overwritten.
Remember, if being a non-Power User meant not wanting the ability to do what Power Users did, we'd still have telephone operators making our household phone calls, and chauffeurs driving stick-shift cars for us. Contrast this with LibraNet Linux that I used a few years ago, the GUI of which featur
When you convert 09F911029D74E35BD84156C5635688C0 into base 64, it couldn't possibly be "MDlGOTExMDI5RDc0RTM1QkQ4NDE1NkM1NjM1Njg4QzA=". Here's why:
"09F911029D74E35BD84156C5635688C0" uses 32 hexadecimal digits. It takes that long because each hex digit is limited to one of 16 possibilities (0-F). If you allow more possibilities, 4 times as many (base 64 instead of base 16), then you will not need as many digits. In particular, you only need 2/3 as many digits (16 log 2 / 64 log 2) to express a number. So why would it convert into "MDlGOTExMDI5RDc0RTM1QkQ4NDE1NkM1NjM1Njg4QzA=", which is a longer string using even more characters to express?
"09F911029D74E35BD84156C5635688C0" ends in zero and is thus divisible by 16, so "MDlGOTExMDI5RDc0RTM1QkQ4NDE1NkM1NjM1Njg4QzA=" should end in zero, sixteen ("G"), thirty-two ("W"), or forty-eight ("a"). I don't know what "=" represents, but presumably it's sixty-two or sixty-three (since A-Z is ten to thirty-five, and a-z is thirty-six to sixty-one; I use "&" and "_" for sixty-two and sixty-three, myself).
Thus "MDlGOTExMDI5RDc0RTM1QkQ4NDE1NkM1NjM1Njg4QzA=" is not "09F911029D74E35BD84156C5635688C0".
Yeah, I know, I know, I could have just converted "09F911029D74E35BD84156C5635688C0" myself instead of doing it the long convoluted way, but this was more fun to do as a geek.:P
In the KDE version of Ubuntu, adding second head monitor involves: System Settings > Display > Second Monitor (click on checkbox). How is that different from what you wanted? (Someone can tell us what the equivalent is in GNOME.) And then you can choose "clone of primary monitor" or "dual monitors", and if you choose the latter, you can set what the position of the monitors is relative to each other.
By the way, I'm still using the third-newest version of Kubuntu, and in fact KDE has had these features even before I switched over to Ubuntu --but since I didn't have two monitors before, I never tried to use it.
Next example of lack of GUI for configuration, please.
I am not disagreeing with your assertion that, currently, faxes seem to have some legal standing.
But do people not realize how easily they can be forged and spoofed? The facsimile machine is technology from the 80's that has no authentication mechanism. It would be so easily spoofed with a fax modem! You could set up a fax that would seemingly come from, say, the office of the CEO, with letterhead and fax header to correspond, and even a signature would be a simple matter to attach.
Not long after Win2k came out, there was some situation where I had to send some fax with my signature on it to some company --something about giving written notice to my cable company that I really did want to stop my cable service, or something like that --I can't remember now. But I had no fax machine, just a digital camera. So I signed a blank sheet of paper, photographed my signature, pulled the photo into the computer and posterized it into some 4-bit grayscale with GIMP, stuck it into some OpenOffice.org letter, and then printed it to fax via Win2k. It worked, and after that I kept the PNG image of my signature around in case I had to use it for something similar.
Does that still work? It's so easy to manipulate a digital image of people's signature nowadays. The signatures of some corporate executives are even freely distributed! You get junk mail saying, "Dear [insert your own name here]: I am writing to personally tell you how much we value you as a customer, [bla bla] signed Joseph L. Presidente, CEO, Fortune 500 Company" followed by their frigg'n signature. How hard is that to cut&paste into some fax to some hotel saying, "To Whom It May Concern: I verify that I, Joseph L. Presidente, have agreed to pay all accommodation expenses incurred by [insert your name here] during his stay," or something similar.
The facsimile is a valuable tool, but the authority which people attach to them is misplaced. People need to get a clue about digital signatures, or deal with being a victim of social engineering.
I have a related situation for which I'd love to hear you Slashdotters' input.
In these few months, I am going to be out-of-town for most days out of the month. My wife and I miss each other very much and we've gotten the old Unlimited-Talk-To-Each-Other-On-Your-Cellphone plan, etc. But one of our favourite activities is watching movies or TV shows together. We already know how to play them on the computer when we are at home together (got the ol' bigscreen and hi-fi hooked up to my Linux box), but it would be great if we could watch the show simultaneously even when I'm out of town.
I would have a computer with me, and my wife could play it on the home desktop. I envision a scheme where we would be on the phone with each other throughout the whole movie (who cares, it's an unlimited calling scheme). We wouldn't say much, but we'd be able to hear each other laugh, or gasp in surprise, etc. But the thing is, I want to be able to synchronize the movie. We enjoy watching thrillers where a delay of one second might spoil a plot surprise (e.g. my wife screams over the phone, "He's alive!"), so I hope to be able to make any delay unnoticeable.
How to do this?
The worst case would be that we both start the movie manually, and it will probably be out of sync by a few seconds (depending on how long it takes the player software to start up). The next step up might be to synchronize both computers to the same NTP server, and then set a cron job (or what's the one-time cron command called? "at", I think?) to start the movie at a specified time a few minutes into the future.
But is there some way to synchronize keypresses? So that, for example, if we have to pause the movie, both computers pause at the same point?
I thought of using VNC, but it tends to be slow outside the home LAN. If I wanted to pause a movie, I'd have to pause the local player, then switch to the VNC screen (and wait for it to redraw the remote screen), then hit the pause button (and wait for the remote computer to sense my keypress and stop). Reversing the order (pausing the remote player first, then the local) is slightly better but not by much.
This scenario is not quite the same as a the OP scenario, since the hookup spans different cities rather than just within the same home. It's also not the same as a streaming webcast, mainly because the bandwidth is not there for streaming video of this quality --nor is it necessary, since both computers already have the video content pre-loaded; it's just a matter of synchronizing the playback.
The manual that comes with GnuCash accounting program is not just a user guide, but a simple and easy-to-understand accounting primer suitable for the newbie who isn't sure why s/he would need to know about accounting in the first place. Depending on what you wanted to contribute --whether you want to be a prolific updater of man pages for semi-geeks, or focus on fine user guides for one project-- this may or may not be the type of example you want, but it's something that made the GnuCash program much more valuable for me.
I think one valuable attribute to have as a documentation writer is to be able to see it from the point of view of the newbie. Know what questions they would have, and give examples. (One thing that bothers me about man pages is that many of them don't give examples.)
As others have noted, the RIAA has been successful promoting themselves as a concept in people's minds so that we direct our ire toward this nebulous phantom group, rather than the actual companies. If you look at their list of members, you'll find that there appear to be many many --until you see shenanigans with member names like "Universal(1)" and "Universal(2)". Like, wow, there are so many members of RIAA that Universal is on there twice! And Sony... well, there's Sony Direct, Sony Labels, Sony Music Special... gimme a break.
Wikipedia has a comment about this:
The RIAA's website contains a list of members, which has been disputed in the past, as Matador Records, Fat Wreck Chords[4] Lookout Records, Epitaph Records and Bloodshot Records (who are not members) have been listed there.[5] Some may have been automatically included in the list as they were using RIAA members as distributing labels. --from http://en.wikipedia.org/wiki/RIAA
Let's name the actual companies involved: Sony, Universal, Capitol, KGB Records, Synapse Films... We might even make up a new acronym for the coalition.
Will people ever go back to IE once they've switched to Firefox? Maybe, but it might be a good thing.
Firefox lit a firecracker under the butts of Microsoft (who actually disbanded the IE team after IE6 --can you believe it?), and made them scramble to build a web browser that was a first in the world of Microsoft: it was standards compliant. Okay, actually, it wasn't, but it was a heck of a lot more so than the old IE, and for the first time MS actually paid attention to Web standards compliance. Whatever happens after that, we can thank Firefox for this historic watershed; even if people switch back to IE, it won't be to IE 6, and web page authors will realize that Microsoft doesn't necessarily dictate the standards.
In the same way, though, Firefox can't afford to be complacent. Microsoft has a long history of coming from behind and overtaking. There are quite a few ways in which Firefox could be improved, and if MS makes this improved browser IE8, then I can very well envision people switching back.
I think the main thing Firefox needs to do is manage its extensions. There was an interview on Slashdot in which one of the developers said that there was no need for the Mozilla Foundation to vet and officially support extensions, which I think flies in the face of common sense. The MozFound needs to pick three or four extensions and make sure they work --which would not be hard to do since they work now-- but officially make it part of Firefox. These extensions are: Adblock [Plus], NoScript,... well, I'll let you fill in the rest so I don't start any flame wars. Then when testing happens, they have to include these extensions.
Firefox could do with a few other improvements, and I'm sure other posters will happily list them, but the point is: Microsoft is fully capable of overtaking Firefox again. This is a good thing only if it spurs Firefox to greater heights. I don't want IE to actually end up overtaking Firefox, because I want the dominant browser on the Web to be a cross-platform one.
Wow, my head is still spinning after reading the flurry of comments in response to the sibling posts, and responses to those, ad infinitum. Maybe if I summarize stuff here, we can all get on the same page and move on. All the Public Key Encryption (PKE) problems have been addressed in systems like PGP/GPG and SSH, etc. I have to remember that not everyone is familiar with this, and the number of queries about "but wouldn't this or that be insecure?" is a reminder of the fairly substantial problems which which the crypto community has had to deal with, and the elegant way in which they have done so. Sometimes I take it for granted.
In short: public key exchange is not a problem, not even for man-in-the-middle, if you do it right.
The parent poster said: public key exchange is a problem. People seemed to think that the "problem" in question was that public keys must be kept secret, and answered, "No need to keep it secret." A better answer might have been: "You MUST NOT keep it secret," and that would answer the comments about man-in-the-middle as well.
People worried about man-in-the-middle note that the phone company owns the channel, and thus can intercept everything! But that's not enough for a man-in-the-middle attack (MitM attack, where attacker K intervenes in the conversation between A and B; K tells A that K is really B, and K tells B that K is really A, and relays the conversation). The key to breaking MitM is to recognize the additional condition for such an attack: the attacker must completely replace the messages from the sender with his own messages. Otherwise, either:
the attacker is only eavesdropping, but won't be able to get any info once sender and receiver start using encryption, or
sender and receiver realize that there is someone intercepting, and switch encryption or move to a different channel
Thus, sender and receiver must prevent a MitM attacker from completely replacing all the messages. The way to do this is to exchange messages through more than one channel, at least in the beginning.
With the usual PKE such as GPG over email, for example, the sender doesn't just send public keys to you and say, "Here's my public key; now let's talk." That's a foolish and insecure way to do it, and the importance of drilling this into the users' heads is the number one reason why GPG isn't that well-promoted: its proponents (rightly) prefer to have the system less popular but secure, rather than have some AOL weenie start using GPG improperly and getting a false sense of security.
And, no, the way to make it more secure is NOT to send more data, like "Here's my public key and my photo. Now do you believe that it's my real key?" That would just be sending more data over the same channel. You need another channel.
If sender and you have already exchanged public keys before, assuming it was in a secure way, then we're good, because the exchange was made in a previous conversation over which the MitM attacker had no control. That's an additional channel.
But say they've never exchanged public keys before. Well, you can check if the sender has published the public key on some keyserver, or hopefully multiple independent keyservers. These would be separate channels over which the MitM attacker would have no control. The sender puts up the key (or has already put up the key) on the pgp.mit.edu server (for example) and has already checked that it had been uploaded correctly. Once it's published, no MitM can modify the key. Note that you just need any publicly accessible info source where published data cannot be changed, so you don't need to trust the keyserver as much as, say, a SSL Cert authority like VeriSign. The "keyserver" could be the local newspaper classifieds, for example.
But let's say that there is no trusted key repository. What now? Well, if you have someone you mutually trust, who has a public key known to and trusted by you, and who knows and trusts
Regarding popular use of Enigmail and GPG, one thing I've come to realize is that there needs to be an easy-to-access public key infrastructure. By this, I mean not just the existence of GPG key servers, which already exist, but an easy and user-friendly way to get anyone's key.
For example, the other day I was composing an email message, and thought, "I should encrypt this." But I didn't have the recipient's public key. (I think the recipient was a software developer of a program I had just downloaded.) I told my software, Kgpg, to get the key, but it couldn't find it on the default keyserver. So I went to another keyserver, but it timed out, and yet another keyserver didn't have the key. So then I Googled for it, and finally found the guy's public key.
I thought about how encryption worked for web sites and services like Hushmail. When I go to the bank's website, I don't need to Google for my bank's "public key" --the SSL certificate is already on file at the certificate authority, Verisign or whatever it is. You just say, "I want the Royal Bank website" (or whatever bank it is) and your browser already comes built-in with the ability to go to the right place to get the right key. When people sign onto Hushmail, Hushmail will keep track of the OpenPGP public keys.
In the same way, there needs to be, not just one or more keyservers, but a publicly recognized need for one central key repository or network of cross-mirrorring key repositories, that programs can just go to. When I set up Kgpg (or Enigmail or whatever), I shouldn't have to choose which keyserver to go to; it should come with a default (which it does) that works (which it doesn't). Note that this is not the fault of any one program, but the fact that no one keyserver has achieved critical mass, so that everyone will put his/her key on that one server and expect other people to find it.
I used to think that this one server would be the MIT keyserver, at pgp.mit.edu. But in the recent years, I've found that most keys you can't find on there. The keyserver has been timing out, and if this has been the norm, then I can see why people don't want to put their keys on there. You can put your key on more than one server, but then which "more than one" server do you choose? Kgpg is set up to query pgp.dtype.org and wwwkeys.us.pgp.net; is that what the rest of you have been using as well?
Of course, the whole point of having something like GPG is that there is no one central authority to turn evil and bring down the entire infrastructure, and to that end I love having the trust ratings on the GPG keys. But there needs to be more access to GPG keys so that some flag can come up on people's email software: "Encryption available for this recipient --want to use it?" As it is, I would have to somehow find out that the recipient has heard of GPG, say, "Hey, you know about GPG? Do you use it? I do! What's your public key," etc. etc.
Enigmail is a great boon for promoting GPG, but we need more infrastructure before we can get it to the same popularity as, say, MySpace or even just Slashdot.
I'm not sure I understand you. You say that because Linux has both GNOME and KDE (and others), there is not one standard GUI on which to develop. But why don't you just pick one? People have access to both, you know.
For example, as a die-hard KDE user, I'll ask: what happens if you just pick GNOME and go with that? If it's a useful program to me, I'll install your GNOME program on my KDE machine. For example, I run GnuCash and not KMyMoney, I run Gnumeric and not KSpread, I run Abiword and not KWord (or OpenOffice.org), and I run Firefox and only occasionally Konqueror. I plan to continue to use KDE for the foreseeable future, and I've never downloaded the default Ubuntu, only Kubuntu.
Unless I misunderstand you, you seem to be saying: "Microsoft has a single door to walk through. But Linux provides double-doors, so I don't know whether to walk through the left one or the right one. So I won't bother, and I'll just stick with the single door because the lack of choice is less confusing."
From time to time I'll visit http://librenix.com/, a "linux tutorial" aggregator site where people collect various tips about Linux and its various applications. This is often how I will hear about various applications, methods to secure your computer, tricks for administering Linux, etc. For example, as of this writing, among the first page list of articles we have a tutorial on installing VirtualBox in Linux, emacs essentials, how to install dual monitors, etc. Most articles are good, although the styles can vary since Librenix just points to various web pages; they weren't created for Librenix itself.
Why can't they put an optional text mode installer on the standard disc rather than requiring an alternative install CD? Are you saying that I'm imagining that text mode installation option on the Kubuntu 6.06 disc that I downloaded last year? As far as I know, they've had that forever, and it's the GUI installer that is newer. Or are you saying that they took out the text mode installation for Feisty?
But maybe for lesser hardware that can't even support a live CD, you might not want to install Ubuntu at all; you might want to stick with a less resource-intensive version, such as Xubuntu (Ubuntu with the Xfce window manager). That's what I did with the 6-year-old laptop we have --but guess what, that was able to support the Xubuntu live CD with graphical installer. And remember, if it comes down to that, you can always install Xubuntu and then "apt-get install" the KDE desktop to turn it into Kubuntu (or Ubuntu with GNOME desktop).
But I can't compare that to Windows, since I haven't installed any Windows beyond Win2k. So maybe the new Windows installers are even slimmer than Ubuntu's text mode installers. I dunno.
I second the parent and sibling post. Many times I've had to plow through Linux docs, and consistently find straightforward answers in the Gentoo wiki. They give usable examples, and it's something that can be used by most Linux distros, not just Gentoo. Yes, there are a few places here and there where the Gentoo wiki tells you how to compile with certain flags, so that's not for me since I use precompiled binaries (Kubuntu / former Mandrake), but most of the time it's a treasure trove of info. Thanks, Gentoo wiki!
Slashdot Mirror
While what you say is true, remember that we were referring to someone ordering his/her first computer online. Such a person would not be familiar with such obfuscation techniques. Even for someone familiar with computers, if s/he knows enough to use these keylogger-confusion schemes, s/he would likely just skip the hassle and order from home.
Your argument would be valid for a geek who, for whatever reason, couldn't do it from home (e.g. computer broke down, needs to order new one). Even then, wouldn't it be faster to order it over the phone?
I did my homework on this one, so here's your answer:
The librarian.
Unfettered access to the computer after hours, trusted by the staff --hey, for someone unscrupulous, it would be pretty profitable to download some keylogger off the net and install it.
If the librarian is not computer savvy, then maybe it's someone the librarian trusts. Maybe the librarian's nephew, who says, "Hey, Auntie, I can help you fix up the computer to make it more organized and easier to use." And then after half an hour of installing a keylogger (while the librarian busies herself reshelving books), the nephew turns on the Bigger Fonts option and says, "Look, now your elderly library patrons can read more easily." The librarian says, "Such a smart boy!" and the nephew starts harvesting passwords and social security numbers.
Or it could even be just some guy who can install a keylogger given enough time, say two hours. But the library only allows patrons to use the computers for fifteen minutes. But this really pitiable young fellow, who shows up to volunteer at the library and really helps out, says, "I need the computer for two hours to compose my resume and look for a job. Please please please??" and the librarian makes an exception. You know computers are defenseless against someone with physical access to the machine. If the chassis is locked down and there's no bootable CD-ROM drive in the computer, the evil hacker reboots into BIOS and sets the computer to boot first from the USB port, then unplugs the USB mouse and plugs in his USB flash drive with STD-Knoppix or something, installs the MS Windows rootkit, puts all the hardware back the way it was, and then reboots the computer, and everything looks fine, except that suddenly files starting with $SYS$ are suddenly invisible.
Way too many points of attack. While you're right that a skilled geek could form a Tunnel of Pretty Good Security against this, I'd rather just use my own computer.
Like that Dellbuntu notebook that I'm drooling over.
I'll give it a try.
Key logger?
I thought I should hang back and let others do the initial buying, to see how well this works out and whether the hardware crashes and burns. But if everyone did that, then nobody would buy because no one would want to be first. Since I've been looking forward to getting a Linux notebook, I think it should be okay for me to be one of the first "tryer-outers". Also, hopefully this venture of Dell's into Ubuntu will be high-profile enough that if I encounter any problems, I'll scream and shout that I'm going to post about my problems on Slashdot, and then Dell shall suffer the wrath of Slashdot!!</voice> and they'd be more willing to fix it.
In addition to the basic notebook at $599, I decided to upgrade the memory from 512MB to 2GB (+$200), since it's probably the most precious commodity around; if I try to upgrade later, say in 2 years, some new memory standard will probably have come out and I won't be able to find the proper chips.
I figured I'd upgrade the hard drive, too, from 80GB to 160GB. I had thought I would upgrade the 2.5" HDD myself, but it comes with a SATA hard drive, and I've only worked with PATA hard drives[1]. Anyway, that's another +$125 for the HDD upgrade.
My third upgrade is for the DVD burner. The original price comes with a CD burner/DVD-ROM drive, but I've always had problems with Linux and DVD burning --my Kubuntu box has the LITE-ON DVD DL burner, and so far I've had to power up our Win2k box to burn DVD's. For +$40, I'm happy to get the DVD DL burner, and I want to see if K3b will let me burn all 8GB+ onto a DL DVD. Would be sweet if I could.
The only thing I don't like is the screen size. I don't care about widescreen[2], and you can't directly compare diagonal screen sizes of 16:9 (widescreen) screens with 4:3 (conventional) sizes, so I converted. The diagonal of a 16:9 screen is 1.22 times as long as a 12:9 (that is, 4:3) screen for the same height, so I divided the 15.4" diagonal length of the widescreen by 1.22 to get 12.6". So I'm really getting a 12.6" screen, except it's wider. That's tiny. The ThinkPad that my work gives me is 15" (4:3 aspect, same screen height as 18.3" widescreen) and I don't think it's big enough. Well, at least the small screen size makes the laptop smaller and portable.
By the way, what the heck is "TrueLife (glossy)"? I have the option to have it or not have it for my screen, at the same price, but it sounds like a load of MarketSpeak.
So, anyway, here's my system, cut&pasted from the Dell page:
Intel® Pentium® dual-core proc T2080(1MB Cache/1.73GHz/533MHz FSB
Ubuntu Edition version 7.04
15.4 inch Wide Screen XGA Display with TrueLife(TM)(glossy)
2GB Shared Dual Channel DDR2 SDRAM at 533MHZ, 2 DIMM
160GB 5400 RPM SATA Hard Drive
8X CD/DVD Burner (DVD+/-RW) with double-layer DVD+R write capability
53 WHr 6-cell Lithium Ion Primary Battery
Intel PRO/Wireless 3945a/g
1Yr Ltd Warranty and Mail-In Service
Recycling Kit and Plant a Tree for Me
Intel® Graphics Media Accelerator 950
Integrated Audio
Intel Centrino Core Duo Processor
I'll probably sit on this till next week, and then make the purchase.
Any comments? Is this a good deal, or am I being foolish?
I'm experimenting with the Slashdot journal, so maybe I'll post stuff in my journal about how the purchase is going, and I think I can set it up so that people can post comments.
-----
[1] PATA notebook drives: It's not that I'm afraid of SATA drives; it's that I've been standardizing on PATA 2.5" drives because I have a number of 2.5" notebook enclosures that, for $25, turn the internal notebook HDD into an external USB HDD that fits into my shirt pocket.
[2] widescreen: Please don't give me that crap about "But if you're screen's not wide enough, you don't see the whole movie --it will be chopped off at the left and right sides!" Well, then, just shrink the movie! I don't see anyone ever saying, "You need a 4:3 screen, because your TV show will be chopped off at the top and bottom by a 16:9 screen!"
At first, the base price may be more expensive than the Windows laptop, but:
In the past, I have proudly emerged from the entrails of my machine saying, "Yesss! What a breakthrough! Am I a geek or what? After countless hours of Googling, downloading drivers, messing with the hardware, and writing my own script files, my computer now finally works properly!" Meanwhile, my wife's machine has worked from the beginning. Well, been there, done that; now I want to move on. I want it to just work.
So, when I tally it up, it's definitely to my self-interest to get the Dellbuntu system, even if it looks more expensive at first.
Yes, I think so too. (Well, Gnumeric isn't officially part of Abiword, but you know what I mean --the default spreadsheet application on the Ubuntu GNOME desktop.) I use it despite having a KDE desktop.
I wasn't aware of any options other than Rogers and Shaw cable. I guess there's still hope for Internet users in Canada. Execulink, you say?
My previous posts have heaped enough criticism on OOo, so I won't do that here, no matter how good it might feel to vent my frustration.
What I want to do is figure out why OpenOffice is such a steaming pile of crap. Why would someone want such a slow, bloated program? Who decided it would be a good idea to turn on scripting by default? When are they going to make a decent user interface?[1] Well, I think I've figured out a few places where OOo is not like other open source software. Perhaps we could learn some lessons from this.
OSS starts out by "scratching an itch", as the wisdom goes, but OOo did not start that way. It started with StarOffice, proprietary software acquired by Sun and then open sourced. A heartfelt thank you from me to Sun, but unfortunately, open-sourcing the software has not made it better. Instead, I suspect that little pieces here and there have been added to the StarOffice code, until the software became an incongruous quiltwork that did not run smoothly. I mean, Java for some things but not others? No way to insert current date as text? (Have they fixed that in recent versions, by the way?)
Or maybe that wasn't it; instead, perhaps it was the management that dictated the features. "My daughter says MS Word has SuperMacro ScriptEnhance-o-rama," said the manager, "and I told her, OpenOffice will have it, too!"
Or maybe it was (heaven forbid) an actual developer who decided that changing the font on the main text would not change the font within a table?
I mean, it's hard to imagine that they did any sort of usability testing at all. What it does feel like is that they were trying to keep up with Microsoft Office while forgetting about the spirit of OSS.
Can someone offer insight into what happened? Because I wouldn't want that to happen to any other OSS project. (Firefox, are you listening?) Ironically, although I fear that Firefox may be starting to suffer the same feature creep as OOo, I think the best thing for OOo to do now is to take a page from the history of Mozilla: scrap the code. Mozilla did it, and it took over a year, but when they finished, it was a masterpiece that everyone could be proud of.
So, start over. Stay focused. Otherwise, people will migrate over to AbiWord. You know what, better yet, maybe OOo can send some of their developers over to the AbiWord team, and maybe KWord, too.
Aaargh, the amount of wasted talent that goes into OOo.
-----
End notes: s/OpenOffice[^.]/OpenOffice.org/g --you know what I meant.
[1] "Decent user interface": they can start by not having multiple menu options share the same "underlined letter" shortcut.
I agree, I didn't think so, either.
Okay, if you think it's due to MS Word that OOo looks bad, try this one on for size: a document saved as ".odt" with OpenOffice.org v2 for Linux (Kubuntu) is mangled when opened in OpenOffice.org v2 for Windows (Win2k). There was no MS Word involved anywhere.
This was a document for which formatting was important: I had designed a greeting card to be printed onto thick paper and folded into quarters, so positioning was critical. I did this on my Linux box, but the printer was hooked up to the wife's box, and she only wants Windows on it. I saved the file on Kubuntu, FISh'd it over to the Win2k box and opened it, and the text formatting had screwed up, spilling over onto the next page.
If OpenOffice.org can't standardize their own document formatting, what's the point having a standard like ODF in the first place? (I finally exported to PDF in order to get it onto the Win2k box without messing it up.)
I'm grateful to Sun for all the contributions they've made to Open Source, but I have to say, OOo is a steaming pile of crap.
Okay, that was a bit too blunt, and I'm glad they have an integrated office suite with spreadsheet, presentation application, I appreciate the work they've put into this, grateful that they distribute OOo under an Open Source license, etc. etc., so let me do my best to be more subtle.
Erm, er, OpenOffice is
Sorry. I tried.
I feel your pain. I *can* get out from the office through 443 and 80, so I'm a bit better off than you. Some ideas:
- Can you do anything at all as long as it's through Port 80? If so, try SSH'ing into Port 80 so you don't have an Apache webserver responding, but instead SSHd dropping connections. Then you can always tunnel through the SSH connection (ie. connect from you school computer to school_computer_itself:8080, but actually it's going via the SSH tunnel to home_server:8080 where your Apache server is waiting).
- Otherwise, doing SSL through Port 80 (ie. making it act like a Port 443) might give you more security, but I guess it wouldn't stop script kiddies from connecting to it.
But are you not able to change your IP address? For me, with my DSL modem, I can tell the router/modem to drop the connection, and when I reconnect a few seconds later, I've been assigned a different IP address. Not an option for you?
I vehemently disagree with your post, and hold up your opinion as an example of an elitist attitude that holds back easy computing for the masses, a paradigm that fortunately has been shattered by Microsoft (and others before them). Note that I have nothing against you personally, and you yourself probably hadn't been aware of a viewpoint such as mine, so think of this as a polite tap on your head with a cluestick.
Geeks have always prided themselves as being able to do things lay people couldn't, due to an increased understanding of how things work; computer geeks can, for example, install Linux, or release an IP address and reacquire a new DHCP lease. So, it would be easy to conclude that "you're not a real Power User" until you know how to go to a terminal and type "sudo dhclient -s 192.168.0.1 eth1".
But now you've fallen into the trap of defining a non-Power User by what s/he is not able to do, instead of what s/he wants to do. Within this trap, you (generic you, not personally) don't try to make things easy for non-Power Users because you assume that only Power Users would want to do those "geek things" anyway. "Why would anyone other than a Power User," you might say to yourself, "be interested in learning about the 'dhclient' command?"
Good question. Why would anyone want to learn about 'dhclient'? Why would a geek like you want to learn about 'dhclient'? Why, so that you can have more control over our Internet connections, of course, such as when you're trying to tell your recently de-hibernated computer to stop trying an old connection and reacquire a new DHCP address from the server.
Well, wouldn't a lay user also want to be able to reset a connection like that? Even someone who's not a Power User? Sure, it's a useful thing to do. So in MS Windows, you go to "Network Connections" and click on "Repair Connection", and Windows will release and reacquire a DHCP lease.
Wasn't that a feature only for Power Users? No, because it's useful for lay users, too. Previously, the complexity of the "dhclient" command limited this feature to Power Users, but it doesn't mean that lay users don't want to use it. And so, MS Windows makes this easy to use for users to do without making it of Power User complexity.
Similarly, installing Linux has previously been a Power User operation, only because it was hard to do, and not because it wasn't useful for lay people. Who wouldn't want a computer rookie to be able to install Linux, Ubuntu or otherwise, with a snap of the fingers? The rookie might be sick of viruses and MS Windows activation, and we geeks are tired of their computers being zombified. But until we realize that installing an OS is something ordinary people want, even though it has long been considered the exclusive domain of Power Users, no one is going to expend the effort to try to make it easier.
Fortunately, there are those within the OSS community who realize that it doesn't have to be this way, and have made it drop-dead easy to install Linux --or, heck, even easily run Linux from a RAM drive (what Knoppix pioneered). That is what the OP main article was driving at: the reviewer wants to see Linux easily installed for a lay user. Note that Ubuntu passed with flying colours; her two complaints (desktop fonts and OpenOffice.org) were not related to installation, although she got worried about her Win2k partition being overwritten.
Remember, if being a non-Power User meant not wanting the ability to do what Power Users did, we'd still have telephone operators making our household phone calls, and chauffeurs driving stick-shift cars for us. Contrast this with LibraNet Linux that I used a few years ago, the GUI of which featur
When you convert 09F911029D74E35BD84156C5635688C0 into base 64, it couldn't possibly be "MDlGOTExMDI5RDc0RTM1QkQ4NDE1NkM1NjM1Njg4QzA=". Here's why:
Thus "MDlGOTExMDI5RDc0RTM1QkQ4NDE1NkM1NjM1Njg4QzA=" is not "09F911029D74E35BD84156C5635688C0".
Yeah, I know, I know, I could have just converted "09F911029D74E35BD84156C5635688C0" myself instead of doing it the long convoluted way, but this was more fun to do as a geek.
In the KDE version of Ubuntu, adding second head monitor involves: System Settings > Display > Second Monitor (click on checkbox). How is that different from what you wanted? (Someone can tell us what the equivalent is in GNOME.) And then you can choose "clone of primary monitor" or "dual monitors", and if you choose the latter, you can set what the position of the monitors is relative to each other.
By the way, I'm still using the third-newest version of Kubuntu, and in fact KDE has had these features even before I switched over to Ubuntu --but since I didn't have two monitors before, I never tried to use it.
Next example of lack of GUI for configuration, please.
I am not disagreeing with your assertion that, currently, faxes seem to have some legal standing.
But do people not realize how easily they can be forged and spoofed? The facsimile machine is technology from the 80's that has no authentication mechanism. It would be so easily spoofed with a fax modem! You could set up a fax that would seemingly come from, say, the office of the CEO, with letterhead and fax header to correspond, and even a signature would be a simple matter to attach.
Not long after Win2k came out, there was some situation where I had to send some fax with my signature on it to some company --something about giving written notice to my cable company that I really did want to stop my cable service, or something like that --I can't remember now. But I had no fax machine, just a digital camera. So I signed a blank sheet of paper, photographed my signature, pulled the photo into the computer and posterized it into some 4-bit grayscale with GIMP, stuck it into some OpenOffice.org letter, and then printed it to fax via Win2k. It worked, and after that I kept the PNG image of my signature around in case I had to use it for something similar.
Does that still work? It's so easy to manipulate a digital image of people's signature nowadays. The signatures of some corporate executives are even freely distributed! You get junk mail saying, "Dear [insert your own name here]: I am writing to personally tell you how much we value you as a customer, [bla bla] signed Joseph L. Presidente, CEO, Fortune 500 Company" followed by their frigg'n signature. How hard is that to cut&paste into some fax to some hotel saying, "To Whom It May Concern: I verify that I, Joseph L. Presidente, have agreed to pay all accommodation expenses incurred by [insert your name here] during his stay," or something similar.
The facsimile is a valuable tool, but the authority which people attach to them is misplaced. People need to get a clue about digital signatures, or deal with being a victim of social engineering.
I have a related situation for which I'd love to hear you Slashdotters' input.
In these few months, I am going to be out-of-town for most days out of the month. My wife and I miss each other very much and we've gotten the old Unlimited-Talk-To-Each-Other-On-Your-Cellphone plan, etc. But one of our favourite activities is watching movies or TV shows together. We already know how to play them on the computer when we are at home together (got the ol' bigscreen and hi-fi hooked up to my Linux box), but it would be great if we could watch the show simultaneously even when I'm out of town.
I would have a computer with me, and my wife could play it on the home desktop. I envision a scheme where we would be on the phone with each other throughout the whole movie (who cares, it's an unlimited calling scheme). We wouldn't say much, but we'd be able to hear each other laugh, or gasp in surprise, etc. But the thing is, I want to be able to synchronize the movie. We enjoy watching thrillers where a delay of one second might spoil a plot surprise (e.g. my wife screams over the phone, "He's alive!"), so I hope to be able to make any delay unnoticeable.
How to do this?
The worst case would be that we both start the movie manually, and it will probably be out of sync by a few seconds (depending on how long it takes the player software to start up). The next step up might be to synchronize both computers to the same NTP server, and then set a cron job (or what's the one-time cron command called? "at", I think?) to start the movie at a specified time a few minutes into the future.
But is there some way to synchronize keypresses? So that, for example, if we have to pause the movie, both computers pause at the same point?
I thought of using VNC, but it tends to be slow outside the home LAN. If I wanted to pause a movie, I'd have to pause the local player, then switch to the VNC screen (and wait for it to redraw the remote screen), then hit the pause button (and wait for the remote computer to sense my keypress and stop). Reversing the order (pausing the remote player first, then the local) is slightly better but not by much.
This scenario is not quite the same as a the OP scenario, since the hookup spans different cities rather than just within the same home. It's also not the same as a streaming webcast, mainly because the bandwidth is not there for streaming video of this quality --nor is it necessary, since both computers already have the video content pre-loaded; it's just a matter of synchronizing the playback.
Any ideas?
The manual that comes with GnuCash accounting program is not just a user guide, but a simple and easy-to-understand accounting primer suitable for the newbie who isn't sure why s/he would need to know about accounting in the first place. Depending on what you wanted to contribute --whether you want to be a prolific updater of man pages for semi-geeks, or focus on fine user guides for one project-- this may or may not be the type of example you want, but it's something that made the GnuCash program much more valuable for me.
I think one valuable attribute to have as a documentation writer is to be able to see it from the point of view of the newbie. Know what questions they would have, and give examples. (One thing that bothers me about man pages is that many of them don't give examples.)
Wikipedia has a comment about this:
Let's name the actual companies involved: Sony, Universal, Capitol, KGB Records, Synapse Films... We might even make up a new acronym for the coalition.
Will people ever go back to IE once they've switched to Firefox? Maybe, but it might be a good thing.
... well, I'll let you fill in the rest so I don't start any flame wars. Then when testing happens, they have to include these extensions.
Firefox lit a firecracker under the butts of Microsoft (who actually disbanded the IE team after IE6 --can you believe it?), and made them scramble to build a web browser that was a first in the world of Microsoft: it was standards compliant. Okay, actually, it wasn't, but it was a heck of a lot more so than the old IE, and for the first time MS actually paid attention to Web standards compliance. Whatever happens after that, we can thank Firefox for this historic watershed; even if people switch back to IE, it won't be to IE 6, and web page authors will realize that Microsoft doesn't necessarily dictate the standards.
In the same way, though, Firefox can't afford to be complacent. Microsoft has a long history of coming from behind and overtaking. There are quite a few ways in which Firefox could be improved, and if MS makes this improved browser IE8, then I can very well envision people switching back.
I think the main thing Firefox needs to do is manage its extensions. There was an interview on Slashdot in which one of the developers said that there was no need for the Mozilla Foundation to vet and officially support extensions, which I think flies in the face of common sense. The MozFound needs to pick three or four extensions and make sure they work --which would not be hard to do since they work now-- but officially make it part of Firefox. These extensions are: Adblock [Plus], NoScript,
Firefox could do with a few other improvements, and I'm sure other posters will happily list them, but the point is: Microsoft is fully capable of overtaking Firefox again. This is a good thing only if it spurs Firefox to greater heights. I don't want IE to actually end up overtaking Firefox, because I want the dominant browser on the Web to be a cross-platform one.
How might one set up a Googlebomb? I think that's an appropriate response to trying to censor 09f9-1102 9d74-e35b d841-56c5 6356-88c0, so that we can't cdzrherntphpqjwetxeqjggpvkq our freedom of speech.
In short: public key exchange is not a problem, not even for man-in-the-middle, if you do it right.
The parent poster said: public key exchange is a problem. People seemed to think that the "problem" in question was that public keys must be kept secret, and answered, "No need to keep it secret." A better answer might have been: "You MUST NOT keep it secret," and that would answer the comments about man-in-the-middle as well.
People worried about man-in-the-middle note that the phone company owns the channel, and thus can intercept everything! But that's not enough for a man-in-the-middle attack (MitM attack, where attacker K intervenes in the conversation between A and B; K tells A that K is really B, and K tells B that K is really A, and relays the conversation). The key to breaking MitM is to recognize the additional condition for such an attack: the attacker must completely replace the messages from the sender with his own messages. Otherwise, either:
Thus, sender and receiver must prevent a MitM attacker from completely replacing all the messages. The way to do this is to exchange messages through more than one channel, at least in the beginning.
With the usual PKE such as GPG over email, for example, the sender doesn't just send public keys to you and say, "Here's my public key; now let's talk." That's a foolish and insecure way to do it, and the importance of drilling this into the users' heads is the number one reason why GPG isn't that well-promoted: its proponents (rightly) prefer to have the system less popular but secure, rather than have some AOL weenie start using GPG improperly and getting a false sense of security.
And, no, the way to make it more secure is NOT to send more data, like "Here's my public key and my photo. Now do you believe that it's my real key?" That would just be sending more data over the same channel. You need another channel.
If sender and you have already exchanged public keys before, assuming it was in a secure way, then we're good, because the exchange was made in a previous conversation over which the MitM attacker had no control. That's an additional channel.
But say they've never exchanged public keys before. Well, you can check if the sender has published the public key on some keyserver, or hopefully multiple independent keyservers. These would be separate channels over which the MitM attacker would have no control. The sender puts up the key (or has already put up the key) on the pgp.mit.edu server (for example) and has already checked that it had been uploaded correctly. Once it's published, no MitM can modify the key. Note that you just need any publicly accessible info source where published data cannot be changed, so you don't need to trust the keyserver as much as, say, a SSL Cert authority like VeriSign. The "keyserver" could be the local newspaper classifieds, for example.
But let's say that there is no trusted key repository. What now? Well, if you have someone you mutually trust, who has a public key known to and trusted by you, and who knows and trusts
Regarding popular use of Enigmail and GPG, one thing I've come to realize is that there needs to be an easy-to-access public key infrastructure. By this, I mean not just the existence of GPG key servers, which already exist, but an easy and user-friendly way to get anyone's key.
For example, the other day I was composing an email message, and thought, "I should encrypt this." But I didn't have the recipient's public key. (I think the recipient was a software developer of a program I had just downloaded.) I told my software, Kgpg, to get the key, but it couldn't find it on the default keyserver. So I went to another keyserver, but it timed out, and yet another keyserver didn't have the key. So then I Googled for it, and finally found the guy's public key.
I thought about how encryption worked for web sites and services like Hushmail. When I go to the bank's website, I don't need to Google for my bank's "public key" --the SSL certificate is already on file at the certificate authority, Verisign or whatever it is. You just say, "I want the Royal Bank website" (or whatever bank it is) and your browser already comes built-in with the ability to go to the right place to get the right key. When people sign onto Hushmail, Hushmail will keep track of the OpenPGP public keys.
In the same way, there needs to be, not just one or more keyservers, but a publicly recognized need for one central key repository or network of cross-mirrorring key repositories, that programs can just go to. When I set up Kgpg (or Enigmail or whatever), I shouldn't have to choose which keyserver to go to; it should come with a default (which it does) that works (which it doesn't). Note that this is not the fault of any one program, but the fact that no one keyserver has achieved critical mass, so that everyone will put his/her key on that one server and expect other people to find it.
I used to think that this one server would be the MIT keyserver, at pgp.mit.edu. But in the recent years, I've found that most keys you can't find on there. The keyserver has been timing out, and if this has been the norm, then I can see why people don't want to put their keys on there. You can put your key on more than one server, but then which "more than one" server do you choose? Kgpg is set up to query pgp.dtype.org and wwwkeys.us.pgp.net; is that what the rest of you have been using as well?
Of course, the whole point of having something like GPG is that there is no one central authority to turn evil and bring down the entire infrastructure, and to that end I love having the trust ratings on the GPG keys. But there needs to be more access to GPG keys so that some flag can come up on people's email software: "Encryption available for this recipient --want to use it?" As it is, I would have to somehow find out that the recipient has heard of GPG, say, "Hey, you know about GPG? Do you use it? I do! What's your public key," etc. etc.
Enigmail is a great boon for promoting GPG, but we need more infrastructure before we can get it to the same popularity as, say, MySpace or even just Slashdot.
I'm not sure I understand you. You say that because Linux has both GNOME and KDE (and others), there is not one standard GUI on which to develop. But why don't you just pick one? People have access to both, you know.
For example, as a die-hard KDE user, I'll ask: what happens if you just pick GNOME and go with that? If it's a useful program to me, I'll install your GNOME program on my KDE machine. For example, I run GnuCash and not KMyMoney, I run Gnumeric and not KSpread, I run Abiword and not KWord (or OpenOffice.org), and I run Firefox and only occasionally Konqueror. I plan to continue to use KDE for the foreseeable future, and I've never downloaded the default Ubuntu, only Kubuntu.
Unless I misunderstand you, you seem to be saying: "Microsoft has a single door to walk through. But Linux provides double-doors, so I don't know whether to walk through the left one or the right one. So I won't bother, and I'll just stick with the single door because the lack of choice is less confusing."
From time to time I'll visit http://librenix.com/, a "linux tutorial" aggregator site where people collect various tips about Linux and its various applications. This is often how I will hear about various applications, methods to secure your computer, tricks for administering Linux, etc. For example, as of this writing, among the first page list of articles we have a tutorial on installing VirtualBox in Linux, emacs essentials, how to install dual monitors, etc. Most articles are good, although the styles can vary since Librenix just points to various web pages; they weren't created for Librenix itself.
Recommended.
But maybe for lesser hardware that can't even support a live CD, you might not want to install Ubuntu at all; you might want to stick with a less resource-intensive version, such as Xubuntu (Ubuntu with the Xfce window manager). That's what I did with the 6-year-old laptop we have --but guess what, that was able to support the Xubuntu live CD with graphical installer. And remember, if it comes down to that, you can always install Xubuntu and then "apt-get install" the KDE desktop to turn it into Kubuntu (or Ubuntu with GNOME desktop).
But I can't compare that to Windows, since I haven't installed any Windows beyond Win2k. So maybe the new Windows installers are even slimmer than Ubuntu's text mode installers. I dunno.
I second the parent and sibling post. Many times I've had to plow through Linux docs, and consistently find straightforward answers in the Gentoo wiki. They give usable examples, and it's something that can be used by most Linux distros, not just Gentoo. Yes, there are a few places here and there where the Gentoo wiki tells you how to compile with certain flags, so that's not for me since I use precompiled binaries (Kubuntu / former Mandrake), but most of the time it's a treasure trove of info. Thanks, Gentoo wiki!