They do own princeton.edu. You'd expect someone with a 5-digit/. ID to know that. And to be able to figure out from the hundreds of similar past links in articles, that nyud.net is a distributed caching service.
The trouble is the lusers have gotten used to thinking that 'foo.com' is the proper way to type an address, when they want 'foo.com.'. The browser can try foo.com and then its going to try foo.com.{something from my domain search suffice list}..
And this neatly demonstrates how the "domain escalation" approach would work for certificates.
When the browser is provided with https://foo/uri, it will use the configured DNS suffixes to find the server and then use the same DNS suffix to confirm that the connection should be trusted. So if you have mydomain.com. and mydomain.net. as your DNS suffixes, and foo resolves in mydomain.net., then the certificate must contain foo.mydomain.net. to be accepted.
Mind you I haven't programmed the sockets API so I don't know if it's possible to _get_ the list of DNS suffixes for a computer/connection/some other object. Maybe that's the sticking point?
Wouldn't be the first time MS has a very 'interesting' interpretation of best practice. Remember how long it took for Exchange to stop using 'accept-then-bounce' instead of outright rejecting the SMTP session for an unknown recipient?
Remember though the reasoning for that - rejecting immediately allows for a reasonably high-speed dictionary attack to harvest the email addresses in the organisation. Remember also the timing of that decision - the 90's, not the late noughties. For example, consider the following approach:
Connect to mail server
Attempt to send to a dozen common names - "Bob@domain", "Jim@domain" - if any succeed, assume the email format is FirstName@domain; use dictionary of first names to harvest addresses
Attempt to send to InitialSurname - "BJohnson@domain", "TSmith@domain" - if any succeed, assume the email format is InitialSurname@domain; use dictionary of first names to harvest addresses
Attempt to send to Initial.Surname - "B.Johnson@domain", "T.Smith@domain" - if any succeed, assume the email format is Initial.Surname@domain; use dictionary of first names to harvest addresses
Attempt to send to FirstName.Surname - "Bob.Johnson@domain", "Ted.Smith@domain" - if any succeed, assume the email format is FirstName.Surname@domain; use dictionary of first names to harvest addresses
It's surprising just how many addresses you can find and harvest given one or two matches even assuming the above, simplistic algorithm. Nowadays, yes, we all do outright rejection, we use greylisting, we use reputation services. It's a different Internet.
For our sake, I sincerely hope many of their computers were sold to the Government. Memo to God: Please make it so. Please make it so. Please make it so.
A very serious crime. It comes with a sentence of 15 years paid leave on a Caribbean island, compulsory parades in New York, Los Angeles and the referee's home town and a requirement that you accept being carried around like a king for the rest of your life.
Perhaps I can help you understand, in the standard American fashion of talking loudly in the hope that this will magically convert the English words into the local dialect.
THE GOVERNMENT IS STUPID. THIS MEANS THEY WILL MAKE A STUPID, ILLOGICAL, INEFFECTIVE DECISION THAT DOES NOTHING TO RESOLVE THE ACTUAL PROBLEM.
There is no malice from the Government - it's a case where they're too flipping stupid to be malicious.
Nintendo might be doing something about all the bad shovelware they grant a license to.
On the one hand, some Slashdot users say the console makers need to be more open to homebrew. See, for example, the griping about Sony's removal of Other OS. On the other hand, other Slashdot users say the console makers need to be less open to alleged shovelware. What should one believe?
Perhaps, since these statements are not diametrically opposed, we can logically support both? If it were true that all homebrew apps/games were the same poor quality as is denoted by the tag "shovelware" then supporting both statements would be illogical.
Funnily enough, though, on the Nintendo platforms, Nintendo have approval-type processes just like Apple do - so all the shovelware crap (which gamers dislike) is available, and homebrew (which we support) is not available. This then justifies supporting both comments.
What if I decide in the first 30 minutes I don't like the game? Can I take it back to Gamestop and get my money back? Fat chance. If I download a $1 game and decide I don't like it, then meh.
Funnily enough in Australia there is a chain (which I shall decline to name, given they won't pay me for the ad) where this is in fact possible for up to 7 days after purchase. They even extend that around Christmas to "7 days after Christmas Day" which in practice means you can get a crappy game from your Aunt, return it before Jan 2 and get full credit on another more desired game.
Are you suggesting that (somewhere in the Insane States of America) there is a board that will sue you if you don't fuck up enough!? Because that is what you appear to have said - "The executive director of the engineers licensing board (believes there is a law) prohibiting doing engineer quality work".
It *is* possible to encrypt the password for real before the password gets passed to the server, by means of using some javascript with a one-way encryption (think pgp) and a public key, but that would require disclosing the public key as well as the encryption algorithm being used, which isn't very good mojo.
WTF? There's nothing wrong with disclosing the public key (hint: it's right there in the name. You can encrypt with the public key, publish the key on websites, in newspapers, hell broadcast it on national radio - it doesn't matter. That's the point. Just don't publish the private key.
As per the article, the Australian Privacy Commissioner has suggested the company might be running afoul of the Australian NPP. Since even our government seems to have more money than this company, I'd bet there will be sufficient complaints reasonably quickly and the Govt will be initiating the lawsuits. Popcorn or similar snacks will be recommended:)
I don't see the point. 60%+ will be married / unavailable, at a guess, 20% will not want to be contacted and 20% will be like me (fat, ugly, mean and nasty - yes, I'm just pre-populating the database). Who are they going to match with "george421@gmail.com who has a Slashdot account and isn't on Facebook"? (Sorry, if you're george421@gmail.com).
As for the response from the operator, "We don't expect to have privacy issues" - the Australian privacy commissioner is probably the better informed spokesperson in this particular case. Let's not forget "the only way to not be in the database will be to log in, confirm all your details then delete them" - who here thinks they'll respect the deletion? Anyone? "You there in seat 23596DKL were you raising your hand or scratching... oh OK scratching it is."
Well yes and no. Yes, because it reinforces my feeling that I'm not alone in this. No because the Mozilla developers sadly have a history of doing stuff and saying "we're not undoing it or giving you an option, it's the better way, we know best". See awesome bar (of which I'm a fan), lack of statusbar (not a fan) and tabs in titlebar (not a fan). MS used to have UI guidelines for Windows - seems those are ignored now too.
It's funny/sad - I refused to switch to Chrome because I disliked tabs in the titlebar and the ridiculously minimal UI. With FFx4 going that way I may as well go back to IE. Really.
They apparently also forgot that some OS's (eg Win7) allow you to drag the window titlebar even if it's maximised. So on Windows if you have more than a few tabs and a maximised browser, you can no longer drag the title bar away from the top edge of the screen - because there IS no titlebar. I don't get it - I thought rule 1 was "don't fucking change the way the application looks and behaves just because you changed the window size". Now I need to have the menu bar showing and re-organise all the chrome so that I have a title bar and consistent UI again. Not to mention the 18 years or so of looking at the status bar for the next URL/action (NCSA Mosaic, 1993, and every other fucking piece of software written for almost ANY platform).
It's not really all that difficult to shape downstream traffic. All you need is a router between your internet connection and LAN clients. I've done this for years at my office using the QoS functionality of the Linux kernel. We are located out in the middle of nowhere with T-1s as our only means of connectivity. Sharing a 3.0mbit/s connection with 60+ employees without QoS is virtually impossible if you need to run interactive protocols.
And just how, exactly, do you plan to have this router on your local network control the rate of incoming packets over your T1? Once they get to your router, to be "rate controlled" they've already been transmitted through the limited size network pipe. At that point, what reason is there to hold up delivery to your local user? If you want to queue and prioritise, it has to be before the slow link (and that in itself gives you the problem not-linked-to-but-described in the summary).
I'm quite sure you can control the rate you send, but you receive data when you receive data - you don't control the packet order, size or content, the sender does.
You appear to be unaware of the "slippery slope" concept. Let me try to help.
Today the NHTSA will require that new vehicles have a single rear mounted camera for reversing.
Specifically, we know that the cameras don't record video today. But an SD card slot on the board is probably $1, and the SD card itself $5 in bulk, so "For just $6, we can guarantee that we have video evidence if someone reverses over a person - if that saves just one life it's worth it". The upshot is now the reversing camera records the last 24 hours of reversing video with a time/date stamp.
Then we get "But that only shows the REAR of the car, what happens if the car sideswipes a child?" Well that's OK, "For just $12, we can guarantee that we have video evidence if a car slides into/sideswipes a child on a bike - if that saves just one life it's worth it". The upshot is now the new side cameras record the last 72 hours of side-on video with a time/date stamp.
Finally someone points out that it's possible to just run over a poor child, so "For just $6 more, we can guarantee that we have video evidence if someone drives over a person - if that saves just one life it's worth it". The upshot is now the complete set of cameras records the last 168 hours of all-round video with time/date stamps.
Next step: Record the driver at the same time and now you can prove who was responsible for killing the poor innocent child. Won't you think of the children? For just $6, we can make sure that the horrible child killer is brought to justice!
And that's the slippery slope. See how it works?
Funny thing is... I went and looked up this NHTSA organisation (I'm Australian, this abbreviation was unfamiliar to me). They already have a campaign for "the faces of distracted driving". So... for all we know, internally they could be sliding down that slope (or another one)...
Comcast claims that a good network maintains a 1:1 with them, but that's simply not possible unless you had Comcast and another broadband access network talking to each other. In the attached graphs you can see the ratio is more along the lines of 5:1, which Comcast was complaining about with Level (3). The reality is that the ratio argument is bogus.
Comcast claims that free peering arrangements should have close to 1:1 ratio. And if you don't maintain that ratio, then you should pay for transit, just like Comcast is doing with TATA.
Wait a second... So Comcast is pulling more traffic from Tata than they send, and paying Tata for that. Agreed?
In the L3 case, Comcast would be pulling more traffic from L3 than they send, and thus L3 should pay Comcast for that - and the reason is because it's a business in market X and not market Y!? Whatever you are smoking, I want some.
So how is it the same?! If Comcast is pulling more traffic from two vendors, why should one pay for it and one should be paid for it? In both cases, it's the Comcast subscriber requesting the data. Yet your argument is that L3 should pay for it and Tata can be paid for exactly the same scenario.
Maybe you should think about having a consistent opinion - change it by all means, or clarify it, but holding that two opposite viewpoints on the same issue are in fact equivalent makes you seem like a lunatic - and there's no full moon tonight.
Curious. As an Australian, I don't believe I've seen the word before the advent of FB. If nothing else, its usage in Australia is uncommon. At least I learned something today.
Slashdot Mirror
FFS. "so that I can use it for {another tech-buzzword-filled purpose}". Damn < and >
"This is not a phone. It has been modified internally so that I can use it for . Do you understand?"
They do own princeton.edu. You'd expect someone with a 5-digit /. ID to know that. And to be able to figure out from the hundreds of similar past links in articles, that nyud.net is a distributed caching service.
What makes you think that will stop them from trying ... then reimaging the server when it doesn't respond?
The trouble is the lusers have gotten used to thinking that 'foo.com' is the proper way to type an address, when they want 'foo.com.'. The browser can try foo.com and then its going to try foo.com.{something from my domain search suffice list}..
And this neatly demonstrates how the "domain escalation" approach would work for certificates.
When the browser is provided with https://foo/uri, it will use the configured DNS suffixes to find the server and then use the same DNS suffix to confirm that the connection should be trusted. So if you have mydomain.com. and mydomain.net. as your DNS suffixes, and foo resolves in mydomain.net., then the certificate must contain foo.mydomain.net. to be accepted.
Mind you I haven't programmed the sockets API so I don't know if it's possible to _get_ the list of DNS suffixes for a computer/connection/some other object. Maybe that's the sticking point?
Wouldn't be the first time MS has a very 'interesting' interpretation of best practice. Remember how long it took for Exchange to stop using 'accept-then-bounce' instead of outright rejecting the SMTP session for an unknown recipient?
Remember though the reasoning for that - rejecting immediately allows for a reasonably high-speed dictionary attack to harvest the email addresses in the organisation. Remember also the timing of that decision - the 90's, not the late noughties. For example, consider the following approach:
It's surprising just how many addresses you can find and harvest given one or two matches even assuming the above, simplistic algorithm. Nowadays, yes, we all do outright rejection, we use greylisting, we use reputation services. It's a different Internet.
For our sake, I sincerely hope many of their computers were sold to the Government. Memo to God: Please make it so. Please make it so. Please make it so.
Or just right-click on one of the URLs and choose "Forget about site".
A very serious crime. It comes with a sentence of 15 years paid leave on a Caribbean island, compulsory parades in New York, Los Angeles and the referee's home town and a requirement that you accept being carried around like a king for the rest of your life.
Perhaps I can help you understand, in the standard American fashion of talking loudly in the hope that this will magically convert the English words into the local dialect.
THE GOVERNMENT IS STUPID. THIS MEANS THEY WILL MAKE A STUPID, ILLOGICAL, INEFFECTIVE DECISION THAT DOES NOTHING TO RESOLVE THE ACTUAL PROBLEM.
There is no malice from the Government - it's a case where they're too flipping stupid to be malicious.
Nintendo might be doing something about all the bad shovelware they grant a license to.
On the one hand, some Slashdot users say the console makers need to be more open to homebrew. See, for example, the griping about Sony's removal of Other OS. On the other hand, other Slashdot users say the console makers need to be less open to alleged shovelware. What should one believe?
Perhaps, since these statements are not diametrically opposed, we can logically support both? If it were true that all homebrew apps/games were the same poor quality as is denoted by the tag "shovelware" then supporting both statements would be illogical.
Funnily enough, though, on the Nintendo platforms, Nintendo have approval-type processes just like Apple do - so all the shovelware crap (which gamers dislike) is available, and homebrew (which we support) is not available. This then justifies supporting both comments.
What if I decide in the first 30 minutes I don't like the game? Can I take it back to Gamestop and get my money back? Fat chance. If I download a $1 game and decide I don't like it, then meh.
Funnily enough in Australia there is a chain (which I shall decline to name, given they won't pay me for the ad) where this is in fact possible for up to 7 days after purchase. They even extend that around Christmas to "7 days after Christmas Day" which in practice means you can get a crappy game from your Aunt, return it before Jan 2 and get full credit on another more desired game.
Are you suggesting that (somewhere in the Insane States of America) there is a board that will sue you if you don't fuck up enough!? Because that is what you appear to have said - "The executive director of the engineers licensing board (believes there is a law) prohibiting doing engineer quality work".
So what! I'll just look one up on the Internet ...
It *is* possible to encrypt the password for real before the password gets passed to the server, by means of using some javascript with a one-way encryption (think pgp) and a public key, but that would require disclosing the public key as well as the encryption algorithm being used, which isn't very good mojo.
WTF? There's nothing wrong with disclosing the public key (hint: it's right there in the name. You can encrypt with the public key, publish the key on websites, in newspapers, hell broadcast it on national radio - it doesn't matter. That's the point. Just don't publish the private key.
As per the article, the Australian Privacy Commissioner has suggested the company might be running afoul of the Australian NPP. Since even our government seems to have more money than this company, I'd bet there will be sufficient complaints reasonably quickly and the Govt will be initiating the lawsuits. Popcorn or similar snacks will be recommended :)
I don't see the point. 60%+ will be married / unavailable, at a guess, 20% will not want to be contacted and 20% will be like me (fat, ugly, mean and nasty - yes, I'm just pre-populating the database). Who are they going to match with "george421@gmail.com who has a Slashdot account and isn't on Facebook"? (Sorry, if you're george421@gmail.com).
As for the response from the operator, "We don't expect to have privacy issues" - the Australian privacy commissioner is probably the better informed spokesperson in this particular case. Let's not forget "the only way to not be in the database will be to log in, confirm all your details then delete them" - who here thinks they'll respect the deletion? Anyone? "You there in seat 23596DKL were you raising your hand or scratching ... oh OK scratching it is."
Well yes and no. Yes, because it reinforces my feeling that I'm not alone in this. No because the Mozilla developers sadly have a history of doing stuff and saying "we're not undoing it or giving you an option, it's the better way, we know best". See awesome bar (of which I'm a fan), lack of statusbar (not a fan) and tabs in titlebar (not a fan). MS used to have UI guidelines for Windows - seems those are ignored now too.
It's funny/sad - I refused to switch to Chrome because I disliked tabs in the titlebar and the ridiculously minimal UI. With FFx4 going that way I may as well go back to IE. Really.
They apparently also forgot that some OS's (eg Win7) allow you to drag the window titlebar even if it's maximised. So on Windows if you have more than a few tabs and a maximised browser, you can no longer drag the title bar away from the top edge of the screen - because there IS no titlebar. I don't get it - I thought rule 1 was "don't fucking change the way the application looks and behaves just because you changed the window size". Now I need to have the menu bar showing and re-organise all the chrome so that I have a title bar and consistent UI again. Not to mention the 18 years or so of looking at the status bar for the next URL/action (NCSA Mosaic, 1993, and every other fucking piece of software written for almost ANY platform).
It's not really all that difficult to shape downstream traffic. All you need is a router between your internet connection and LAN clients. I've done this for years at my office using the QoS functionality of the Linux kernel. We are located out in the middle of nowhere with T-1s as our only means of connectivity. Sharing a 3.0mbit/s connection with 60+ employees without QoS is virtually impossible if you need to run interactive protocols.
And just how, exactly, do you plan to have this router on your local network control the rate of incoming packets over your T1? Once they get to your router, to be "rate controlled" they've already been transmitted through the limited size network pipe. At that point, what reason is there to hold up delivery to your local user? If you want to queue and prioritise, it has to be before the slow link (and that in itself gives you the problem not-linked-to-but-described in the summary).
I'm quite sure you can control the rate you send, but you receive data when you receive data - you don't control the packet order, size or content, the sender does.
You appear to be unaware of the "slippery slope" concept. Let me try to help.
Today the NHTSA will require that new vehicles have a single rear mounted camera for reversing.
Specifically, we know that the cameras don't record video today. But an SD card slot on the board is probably $1, and the SD card itself $5 in bulk, so "For just $6, we can guarantee that we have video evidence if someone reverses over a person - if that saves just one life it's worth it". The upshot is now the reversing camera records the last 24 hours of reversing video with a time/date stamp.
Then we get "But that only shows the REAR of the car, what happens if the car sideswipes a child?" Well that's OK, "For just $12, we can guarantee that we have video evidence if a car slides into/sideswipes a child on a bike - if that saves just one life it's worth it". The upshot is now the new side cameras record the last 72 hours of side-on video with a time/date stamp.
Finally someone points out that it's possible to just run over a poor child, so "For just $6 more, we can guarantee that we have video evidence if someone drives over a person - if that saves just one life it's worth it". The upshot is now the complete set of cameras records the last 168 hours of all-round video with time/date stamps.
Next step: Record the driver at the same time and now you can prove who was responsible for killing the poor innocent child. Won't you think of the children? For just $6, we can make sure that the horrible child killer is brought to justice!
And that's the slippery slope. See how it works?
Funny thing is ... I went and looked up this NHTSA organisation (I'm Australian, this abbreviation was unfamiliar to me). They already have a campaign for "the faces of distracted driving". So ... for all we know, internally they could be sliding down that slope (or another one) ...
Rabbit season!
Comcast claims that a good network maintains a 1:1 with them, but that's simply not possible unless you had Comcast and another broadband access network talking to each other. In the attached graphs you can see the ratio is more along the lines of 5:1, which Comcast was complaining about with Level (3). The reality is that the ratio argument is bogus.
Comcast claims that free peering arrangements should have close to 1:1 ratio. And if you don't maintain that ratio, then you should pay for transit, just like Comcast is doing with TATA.
Wait a second ... So Comcast is pulling more traffic from Tata than they send, and paying Tata for that. Agreed?
In the L3 case, Comcast would be pulling more traffic from L3 than they send, and thus L3 should pay Comcast for that - and the reason is because it's a business in market X and not market Y!? Whatever you are smoking, I want some.
So how is it the same?! If Comcast is pulling more traffic from two vendors, why should one pay for it and one should be paid for it? In both cases, it's the Comcast subscriber requesting the data. Yet your argument is that L3 should pay for it and Tata can be paid for exactly the same scenario.
Maybe you should think about having a consistent opinion - change it by all means, or clarify it, but holding that two opposite viewpoints on the same issue are in fact equivalent makes you seem like a lunatic - and there's no full moon tonight.
Curious. As an Australian, I don't believe I've seen the word before the advent of FB. If nothing else, its usage in Australia is uncommon. At least I learned something today.
Prior art - Criterion Games and Burnout Paradise (I think it's sent to a competitor when you beat their time on a road, I don't recall).