And forcing SSL does nothing to prevent your employer setting up an SSL proxy with a wildcard certificate, decrypting everything you request, and tracking you anyway. I've set up MITM proxies for companies before, and it's literally 10 minutes of effort in most cases (because the end-users already trust the corporate CA). And if you think the Government can't MITM you as well you haven't been paying attention for the last 12 months.
OK, Mr AC, care to explain how you plan to cache SSL-encrypted objects? All your caching proxy sees is the "connect me securely to server X" request - after that, it's encrypted and your proxy cannot tell what's being loaded. Worse, since SSL inflates the data sizes of whatever you've requested, your images are up to 50% more data, and your (already compressed with gzip) HTML, CSS, JS etc is the same. So you've added 50% to your traffic for... potentially nothing.
And that's leaving aside the fact that SSL no longer guarantees the source server (too many options for MITM server certificate hacks) or security (POODLE etc).
No, make no mistake, this is Google throwing its weight around, screw anybody who doesn't want or need a certificate for their site, or has made a conscious decision NOT to use SSL (not to mention all the corporates with proxies that inspect for malware - now you're mandating SSL MITM by the organisation, or you have a channel for malware into any system).
Ah yes, one bad patch and we should all NEVER PATCH AGAIN BECAUSE THE SKY IS FALLING! Perhaps he will take personal responsibility the next time a patched vulnerability launches a new botnet? Nah, just write inflammatory rubbish, it's easier.
Actually, I don't know why they don't "acquiesce" somewhat to the demands - and offer to sell to the dealers at the same price as they sell in other states.
When the dealers refuse on the basis they won't be competitive with out-of-state sales, they should surely be able to use that to force the hand of the legislature (by advertising in Texas, with the tag line "Not available in Texas because none of your dealers will sell our cars" or something). Truthful. Pins the "blame" where it belongs (the dealers).
If, OTOH the dealers accept, the customers will demand to know why Texas is 25% more expensive (and Tesla can truthfully say "We sell at the same price to all comers, dealer or private, so any difference is the dealer's margin because your state gov't won't let us sell direct to you".
I'm very interested, with Tesla apparently coming to Oz next year, to see what happens here.
Or you could read the article (psht this is SLASHDOT, what was I thinking?) and the papers it references which indicate the most likely outcome of an explosion of the craft within 1m of takeoff would still result in 0 deaths. Science, not baseless assertions.
While it's true that it takes months or years for the number to be re-issued, it takes only an hour for it not to be your number any more after you change providers (or, in the US perhaps even area codes?) In Aus we have number portability between the carriers, which is nice when you pay for it - but sometimes you have to change numbers for reasons outside your own control. I trust (from some of the above comments) that this new tool handles what would seem to be a fairly regular occurrence, though the summary suggests otherwise?
Sure - I could. But that's extra devices and usually extra power points at those locations (esp if you want any POE - I doubt there will ever be a switch that can be powered by, AND deliver POE at the same time). So it's extra devices to buy and support and manage which is why I decided against it. Having the extra ports doesn't stop me doing it in the future either.
The flip side of course is that a failure in one of the big switches takes a LOT of things offline and it's more expensive to replace. Not the VM cluster or servers - but about half the other devices (e.g. one of the WAPs, half the desktop points etc).
OK Telstra has to record the source and destination numbers of all the calls - right? Here's a sample record (not that drawing a table is easy so work with CSV here):
How would you like to determine whether the number 0299999999, which is not owned or operated by Telstra today, and which was not owned or operated by Telstra in 2009 either, was or was not an unlisted number at the time of the call? Because its state right now is completely irrelevant - the state at the time of the call is the important and relevant piece of data, and it doesn't exist. And the reason it doesn't exist is that this is a record designed for billing and cross-checking, not for customer view (if you're arguing against unlisted numbers in toto, you've never been stalked).
I did this when I finally bought a place 15m ago. I went what I considered was pretty "nuts" on the cabling. Cat6A everywhere - 2 in every room except bathrooms, kitchen, laundry and foyer, 6 per room for the entertainment areas. 2 APs at opposite ends of the house, and everything terminates in a 6U cabinet in the garage (26 points total). The sparkie who did the cabling said he's just finished another place with over 50 points, similar approach to mine. So what would I do differently? Most rooms are fine. I find I could use more in one of the entertainment areas, but some of those devices are both wired and wireless (and if push came to shove, I would simply move a device to WiFi). I wish I had thought to put a couple of points near where the solar inverter will be, so I could run a Galileo or similar for monitoring - it'll have to be WiFi. But this gives me at least 1Gb with POE almost everywhere, and I can go to 10Gb if it's ever a requirement.
Look I know it's a tiny thing, and I'm in the "don't like U2 so might have been annoyed" camp. But at least some of the reasoning behind the annoyance is that this has hit a stack of data caps / data plans on mobile devices. "It's only 100MB" you say. But if that's 1/5th your monthly data and you only had 30MB left on the last 2 days of your month - now you have a bill thanks to Apple. And where does it stop? "Here's your free 100MB download" is a possible annoyance or a great thing once. It's a royal PITA for lots of people if it starts being every month or week. Or what if it was a 1GB movie instead? Is that OK because the free 100MB album push was OK, and $producer paid Apple eleventy squillion bucks, and it's free so don't complain? Sorry, there's nuances here you're deliberately ignoring, and it makes your argument look like a baseless whinge.
Actually, combine the Yubikey with AuthLite, and you have 2FA for Windows AD environments. I just implemented for a customer; they use the OTP for the username and the normal password for the password. This has two benefits: first, you don't hit the arbitrary 48 character password length limit for things like VPNs (yeah - you can have a 128 character UTF16 password, just don't try to connect remotely) and secondly, there's no customisation of apps required. It Just Works.
I've seen comments like this a couple of times now and I have an easy way to demonstrate that bullying was (and is) illegal. I believe Aus and US law are not too far apart on this - either the bully hits the bullied, or does not. If he does, he can be found guilty of battery. If not, he can be found guilty of assault, (if the bullied person feels his safety is at risk that's technically enough).
Sure they do - all the major web servers and hosting platforms can use and define vhosts (it's just that the mechanism for creating them differs on each platform). IIS for example, if you create a new site, using "All IP Addresses" port 80, will require that you designate a host header so that the HTTP engine can route the request to the right Web Site (and corresponding content). All IP Addresses port 80 with an empty Host Header acts as a "catch-all" and is assigned to the Default Web Site. Which you generally disable, and create your own config for, if you know what you're doing. Apache, on the other hand, configures those vhosts in text files (nowadays under sites-enabled, as I recall). But the functionality is all there on pretty much all major platforms.
Now if you're arguing that the administrators of IIS servers are exponentially less likely to have a clue about host headers, when compared to their Apache/nginx counterparts - well then from my experience you're absolutely right (my history is MS consulting, and the number of IIS admins who want 20 IP addresses for 20 sites because they don't get how to do host headers, DNS resolution etc, cannot be counted - the reverse can be counted on both hands over 20 years of doing this stuff).
No, it means anecdotal evidence is to be taken as better than no evidence whatsoever. Not everything is black and white, one side of the fence or t'other.
Consider this as a scale - Peer reviewed, multiple-source reproducible trumps anecdotal evidence, but anecdotal evidence is still better than the absence of any evidence on either side.
Cop 1: "He looked like he was hiding something, yer onner". When we stopped him he kept looking around and acting strangely."
Cop 2: "Yeah, yeah, wot he said."
You: "I did no such thing, your honour."
Judge: Both cops say you did, 2 trusted public officials with no reason to lie against 1 obvious reprobate, probable cause, case dismissed with prejudice.
Do you really think the telcos would be able to charge full monthly fees for each car despite it sending a few dozen kB a month? Most likely something like the kindle model - where I'm guessing Amazon pay the telcos 20c a month or something, because while the total data amount is huge, the amount of data per device is so small and only the aggregate so large. Same with FROD. 50M extra data streams, once a day spread country-wide? Noise to the telco's existing data streams. Frod and all the others will negotiate the rates down to SFA, they get the data, the telcos get more revenue/profit and the only loser is you, the consumer.
Except the fuckers crashed my machine when they pushed out the update.
Citation needed, since I recall no such major outcry. Your machine is probably one of the ones with 25 browser toolbars, or ten download accelerators, or fifty outdated browser plugins, or a couple of undetected rookits etc., which is usually the reason behind a security patch "crashing your machine".
And if Windows closed the app with unsaved work, you'd be here whinging that Microsoft destroyed your work. And if you really gave a crap, you'd go in and change the Windows Update setting from "Automatically install" to "Ask me first".
Microsoft has done some seriously stupid stuff. And some bad stuff. But if you want to abuse them, at least abuse them for the stupid stuff not the sane stuff.
So what you're saying is that it's Microsoft's fault your business held out for post-Win7, despite the knowledge that the end date was 2014 (and heck, that's been moved out by 2 years from the original date!). And it's also Microsoft's fault for not planning your app upgrades (what, you thought Win8 would be more compatible than Win7 for your XP apps)? Sounds to me like you think your lack of planning should constitute an emergency on my part. Bzzzzzt. Wrong. You made your bed, now you get to lie in it.
That comment in no way changes what was said in the GP post (though for clarity, while you could still buy WinXP about 4-5 years ago you are still not a current customer). The other point to consider though is the customer (company) who has 20x WinXP machines, 100x Win7 machines and 50x Win8.1 machines. They still are a customer, obviously, but IT moves so much faster than most older industries - it's like complaining your 1955 Studebaker isn't getting new parts made any more because it's 2013, and the original moulds/specs have been lost. The only difference is that you can't even retro-fit a cloned part.
Actually - that their software is open is irrelevant to the problem. Are they running their own servers with openssl/openvpn/??? or using third party appliances? Did THEY create and build the hardware from the ground up or purchase it from a third party? The balance of probabilities may say their inter-DC encryption is done on a secure, up-to-date and built-and-operated-to-best-practices RH server, but it's not a guarantee.
And just like this scenario with Microsoft, how is anyone going to audit the deployment? RH will most certainly not allow twenty million users to tour their datacentres and audit each and every device. So just like Microsoft's environment, and despite RH's code potentially being open, there is absolutely no way to vet the environment. You have to trust the organisation (and each and every person involved in the decision tree). I really don't see a significant and meaningful difference - the open code has no bearing whatsoever on what's actually running (both code-wise and configuration-wise).
He probably works in OH&S (Occupational Health and Safety - or your local equivalent) or at an employer who has been burned in the past and now requires every possible risk to be itemised and managed (even if it makes a project cost 300% more).
I'd guess the potential killers have higher moral standards than the execs, and don't want to inflict the mental pain / sorrow on the not-guilty family members. Sadly this means the morally bankrupt studio execs can't be expunged from the gene pool.
That and there's a huge line of contenders to replace the execs anyway, all with moral compasses permanently set to "screw everyone except me".
Think of it more like a reminder and a chance to begin the education of those who were suckered in by their friends/colleagues (and who aren't/weren't privacy-conscious to start with).
I don't have a Facebook account now because of privacy concerns. But I didn't get one originally (04-05 I guess?) because frankly I'm a bit of a loner and I couldn't think of a group of people I'd rather avoid than those with whom I went to school. Yes, I've missed out on staying connected to people with whom I'd want to continue to associate (Uni friends), but I'm not sacrificing my privacy for it now. I'd rather be detached and a little boring. It's a choice - but I hope an informed one.
True also for Dell, Intel and HP. And the KVM switch vendors (e.g. Avocent). Problem is that while they'll pay for certs for the newer stuff, they're not going to release any new firmware for the older "not supported anymore" stuff. So all those console switches in your datacentre? Worthless, unless you stick with old Java. Same for managed PDUs hosting a little Java applet. Possibly even some rather large web-managed UPS. Same for thousands upon thousands of other supporting appliances of God-knows how many types. Heck, there are companies still rocking servers that are 4, 5 years old; those aren't getting updates to sign the Java applet either, let alone the 10 year old stuff that still hosts the NT4 app that no-one knows how to replace or migrate.
So basically this is going to force companies to replace perfectly good infrastructure or deal with losing remote access to things, as well as screw with hobbyists who have older stuff in their basement/garage/closet/bedroom.
Slashdot Mirror
And forcing SSL does nothing to prevent your employer setting up an SSL proxy with a wildcard certificate, decrypting everything you request, and tracking you anyway. I've set up MITM proxies for companies before, and it's literally 10 minutes of effort in most cases (because the end-users already trust the corporate CA). And if you think the Government can't MITM you as well you haven't been paying attention for the last 12 months.
OK, Mr AC, care to explain how you plan to cache SSL-encrypted objects? All your caching proxy sees is the "connect me securely to server X" request - after that, it's encrypted and your proxy cannot tell what's being loaded. Worse, since SSL inflates the data sizes of whatever you've requested, your images are up to 50% more data, and your (already compressed with gzip) HTML, CSS, JS etc is the same. So you've added 50% to your traffic for ... potentially nothing.
Seriously, what do you gain (actual, measurable improvements) from switching from http://www.comics.com/garfield... to https://www.comics.com/garfiel...? Nothing but overhead.
And that's leaving aside the fact that SSL no longer guarantees the source server (too many options for MITM server certificate hacks) or security (POODLE etc).
No, make no mistake, this is Google throwing its weight around, screw anybody who doesn't want or need a certificate for their site, or has made a conscious decision NOT to use SSL (not to mention all the corporates with proxies that inspect for malware - now you're mandating SSL MITM by the organisation, or you have a channel for malware into any system).
Ah yes, one bad patch and we should all NEVER PATCH AGAIN BECAUSE THE SKY IS FALLING! Perhaps he will take personal responsibility the next time a patched vulnerability launches a new botnet? Nah, just write inflammatory rubbish, it's easier.
Actually, I don't know why they don't "acquiesce" somewhat to the demands - and offer to sell to the dealers at the same price as they sell in other states.
When the dealers refuse on the basis they won't be competitive with out-of-state sales, they should surely be able to use that to force the hand of the legislature (by advertising in Texas, with the tag line "Not available in Texas because none of your dealers will sell our cars" or something). Truthful. Pins the "blame" where it belongs (the dealers).
If, OTOH the dealers accept, the customers will demand to know why Texas is 25% more expensive (and Tesla can truthfully say "We sell at the same price to all comers, dealer or private, so any difference is the dealer's margin because your state gov't won't let us sell direct to you".
I'm very interested, with Tesla apparently coming to Oz next year, to see what happens here.
Or you could read the article (psht this is SLASHDOT, what was I thinking?) and the papers it references which indicate the most likely outcome of an explosion of the craft within 1m of takeoff would still result in 0 deaths. Science, not baseless assertions.
While it's true that it takes months or years for the number to be re-issued, it takes only an hour for it not to be your number any more after you change providers (or, in the US perhaps even area codes?) In Aus we have number portability between the carriers, which is nice when you pay for it - but sometimes you have to change numbers for reasons outside your own control. I trust (from some of the above comments) that this new tool handles what would seem to be a fairly regular occurrence, though the summary suggests otherwise?
Sure - I could. But that's extra devices and usually extra power points at those locations (esp if you want any POE - I doubt there will ever be a switch that can be powered by, AND deliver POE at the same time). So it's extra devices to buy and support and manage which is why I decided against it. Having the extra ports doesn't stop me doing it in the future either.
The flip side of course is that a failure in one of the big switches takes a LOT of things offline and it's more expensive to replace. Not the VM cluster or servers - but about half the other devices (e.g. one of the WAPs, half the desktop points etc).
OK Telstra has to record the source and destination numbers of all the calls - right? Here's a sample record (not that drawing a table is easy so work with CSV here):
FromID, ToID, TimeStart, TimeEnd
0299999999, 0288888888, 20090617135834, 20090617140711
How would you like to determine whether the number 0299999999, which is not owned or operated by Telstra today, and which was not owned or operated by Telstra in 2009 either, was or was not an unlisted number at the time of the call? Because its state right now is completely irrelevant - the state at the time of the call is the important and relevant piece of data, and it doesn't exist. And the reason it doesn't exist is that this is a record designed for billing and cross-checking, not for customer view (if you're arguing against unlisted numbers in toto, you've never been stalked).
I did this when I finally bought a place 15m ago. I went what I considered was pretty "nuts" on the cabling. Cat6A everywhere - 2 in every room except bathrooms, kitchen, laundry and foyer, 6 per room for the entertainment areas. 2 APs at opposite ends of the house, and everything terminates in a 6U cabinet in the garage (26 points total). The sparkie who did the cabling said he's just finished another place with over 50 points, similar approach to mine. So what would I do differently? Most rooms are fine. I find I could use more in one of the entertainment areas, but some of those devices are both wired and wireless (and if push came to shove, I would simply move a device to WiFi). I wish I had thought to put a couple of points near where the solar inverter will be, so I could run a Galileo or similar for monitoring - it'll have to be WiFi. But this gives me at least 1Gb with POE almost everywhere, and I can go to 10Gb if it's ever a requirement.
Look I know it's a tiny thing, and I'm in the "don't like U2 so might have been annoyed" camp. But at least some of the reasoning behind the annoyance is that this has hit a stack of data caps / data plans on mobile devices. "It's only 100MB" you say. But if that's 1/5th your monthly data and you only had 30MB left on the last 2 days of your month - now you have a bill thanks to Apple. And where does it stop? "Here's your free 100MB download" is a possible annoyance or a great thing once. It's a royal PITA for lots of people if it starts being every month or week. Or what if it was a 1GB movie instead? Is that OK because the free 100MB album push was OK, and $producer paid Apple eleventy squillion bucks, and it's free so don't complain? Sorry, there's nuances here you're deliberately ignoring, and it makes your argument look like a baseless whinge.
Oh, like you don't find on the Samsung Note 3 and Galaxy S5, you mean? Yeah no chance of seeing it on a phone.
Actually, combine the Yubikey with AuthLite, and you have 2FA for Windows AD environments. I just implemented for a customer; they use the OTP for the username and the normal password for the password. This has two benefits: first, you don't hit the arbitrary 48 character password length limit for things like VPNs (yeah - you can have a 128 character UTF16 password, just don't try to connect remotely) and secondly, there's no customisation of apps required. It Just Works.
I've seen comments like this a couple of times now and I have an easy way to demonstrate that bullying was (and is) illegal. I believe Aus and US law are not too far apart on this - either the bully hits the bullied, or does not. If he does, he can be found guilty of battery. If not, he can be found guilty of assault, (if the bullied person feels his safety is at risk that's technically enough).
Sure they do - all the major web servers and hosting platforms can use and define vhosts (it's just that the mechanism for creating them differs on each platform). IIS for example, if you create a new site, using "All IP Addresses" port 80, will require that you designate a host header so that the HTTP engine can route the request to the right Web Site (and corresponding content). All IP Addresses port 80 with an empty Host Header acts as a "catch-all" and is assigned to the Default Web Site. Which you generally disable, and create your own config for, if you know what you're doing. Apache, on the other hand, configures those vhosts in text files (nowadays under sites-enabled, as I recall). But the functionality is all there on pretty much all major platforms.
Now if you're arguing that the administrators of IIS servers are exponentially less likely to have a clue about host headers, when compared to their Apache/nginx counterparts - well then from my experience you're absolutely right (my history is MS consulting, and the number of IIS admins who want 20 IP addresses for 20 sites because they don't get how to do host headers, DNS resolution etc, cannot be counted - the reverse can be counted on both hands over 20 years of doing this stuff).
No, it means anecdotal evidence is to be taken as better than no evidence whatsoever. Not everything is black and white, one side of the fence or t'other.
Consider this as a scale - Peer reviewed, multiple-source reproducible trumps anecdotal evidence, but anecdotal evidence is still better than the absence of any evidence on either side.
Cop 1: "He looked like he was hiding something, yer onner". When we stopped him he kept looking around and acting strangely."
Cop 2: "Yeah, yeah, wot he said."
You: "I did no such thing, your honour."
Judge: Both cops say you did, 2 trusted public officials with no reason to lie against 1 obvious reprobate, probable cause, case dismissed with prejudice.
Do you really think the telcos would be able to charge full monthly fees for each car despite it sending a few dozen kB a month? Most likely something like the kindle model - where I'm guessing Amazon pay the telcos 20c a month or something, because while the total data amount is huge, the amount of data per device is so small and only the aggregate so large. Same with FROD. 50M extra data streams, once a day spread country-wide? Noise to the telco's existing data streams. Frod and all the others will negotiate the rates down to SFA, they get the data, the telcos get more revenue/profit and the only loser is you, the consumer.
Except the fuckers crashed my machine when they pushed out the update.
Citation needed, since I recall no such major outcry. Your machine is probably one of the ones with 25 browser toolbars, or ten download accelerators, or fifty outdated browser plugins, or a couple of undetected rookits etc., which is usually the reason behind a security patch "crashing your machine".
And if Windows closed the app with unsaved work, you'd be here whinging that Microsoft destroyed your work. And if you really gave a crap, you'd go in and change the Windows Update setting from "Automatically install" to "Ask me first".
Microsoft has done some seriously stupid stuff. And some bad stuff. But if you want to abuse them, at least abuse them for the stupid stuff not the sane stuff.
So what you're saying is that it's Microsoft's fault your business held out for post-Win7, despite the knowledge that the end date was 2014 (and heck, that's been moved out by 2 years from the original date!). And it's also Microsoft's fault for not planning your app upgrades (what, you thought Win8 would be more compatible than Win7 for your XP apps)? Sounds to me like you think your lack of planning should constitute an emergency on my part. Bzzzzzt. Wrong. You made your bed, now you get to lie in it.
That comment in no way changes what was said in the GP post (though for clarity, while you could still buy WinXP about 4-5 years ago you are still not a current customer). The other point to consider though is the customer (company) who has 20x WinXP machines, 100x Win7 machines and 50x Win8.1 machines. They still are a customer, obviously, but IT moves so much faster than most older industries - it's like complaining your 1955 Studebaker isn't getting new parts made any more because it's 2013, and the original moulds/specs have been lost. The only difference is that you can't even retro-fit a cloned part.
Actually - that their software is open is irrelevant to the problem. Are they running their own servers with openssl/openvpn/??? or using third party appliances? Did THEY create and build the hardware from the ground up or purchase it from a third party? The balance of probabilities may say their inter-DC encryption is done on a secure, up-to-date and built-and-operated-to-best-practices RH server, but it's not a guarantee.
And just like this scenario with Microsoft, how is anyone going to audit the deployment? RH will most certainly not allow twenty million users to tour their datacentres and audit each and every device. So just like Microsoft's environment, and despite RH's code potentially being open, there is absolutely no way to vet the environment. You have to trust the organisation (and each and every person involved in the decision tree). I really don't see a significant and meaningful difference - the open code has no bearing whatsoever on what's actually running (both code-wise and configuration-wise).
He probably works in OH&S (Occupational Health and Safety - or your local equivalent) or at an employer who has been burned in the past and now requires every possible risk to be itemised and managed (even if it makes a project cost 300% more).
I'd guess the potential killers have higher moral standards than the execs, and don't want to inflict the mental pain / sorrow on the not-guilty family members. Sadly this means the morally bankrupt studio execs can't be expunged from the gene pool.
That and there's a huge line of contenders to replace the execs anyway, all with moral compasses permanently set to "screw everyone except me".
Think of it more like a reminder and a chance to begin the education of those who were suckered in by their friends/colleagues (and who aren't/weren't privacy-conscious to start with).
I don't have a Facebook account now because of privacy concerns. But I didn't get one originally (04-05 I guess?) because frankly I'm a bit of a loner and I couldn't think of a group of people I'd rather avoid than those with whom I went to school. Yes, I've missed out on staying connected to people with whom I'd want to continue to associate (Uni friends), but I'm not sacrificing my privacy for it now. I'd rather be detached and a little boring. It's a choice - but I hope an informed one.
True also for Dell, Intel and HP. And the KVM switch vendors (e.g. Avocent). Problem is that while they'll pay for certs for the newer stuff, they're not going to release any new firmware for the older "not supported anymore" stuff. So all those console switches in your datacentre? Worthless, unless you stick with old Java. Same for managed PDUs hosting a little Java applet. Possibly even some rather large web-managed UPS. Same for thousands upon thousands of other supporting appliances of God-knows how many types. Heck, there are companies still rocking servers that are 4, 5 years old; those aren't getting updates to sign the Java applet either, let alone the 10 year old stuff that still hosts the NT4 app that no-one knows how to replace or migrate.
So basically this is going to force companies to replace perfectly good infrastructure or deal with losing remote access to things, as well as screw with hobbyists who have older stuff in their basement/garage/closet/bedroom.