The problem is it takes time to ramp up and down production so supply in the short term is fixed, this means that the price can swing much higher (bad for consumers) or lower (bad for producers) than the long term stable level.
Customers were using transport encryption on an "if available" basis.
The ISPs did something that made the transport encyrption unavailable and so the customers systems fell back to sending unencrypted. Maybe they deliberately attacked it. Maybe they put in a rule to redirect mail through their smarthost for some reason (likely spam related) and ended up disabling encryption is a side affect.
Had the customers used end to end encryption they would have been unaffected. Had the customers been using transport encryption with proper authentication (which is possible but problematic to do for email if all parties cooperate) then things would have stopped working until the problem was sorted out/worked arround.
Is it bad that ISPs are messing with their customers communications in this way? yes! Is it bad that many areas have an effective ISP monopoly which makes it harder to take buisness away from ISPs who pull this shit? yes! Is it a good idea to use encryption systems that are this vulnerable for stuff that needs to be kept secret? no!
If you configure your mailserver to only talk to servers that advertise TLS with a valid cert you will cut yourself off from most of the internet. So what you would actually have to do is configure your server to add special cases for the domains you want secure communication with. Make a typo in those special cases so they don't match the domain they were intended to match and you are back to the original problem of being vulnerable to "downgrade to plaintext" attacks.
And even if you ensure the next hop after your mailserver in encrypted and authenticated you have no gaurantee that later hops (for example backup MX to main MX or mail download by receiving client) are encrypted.
Worse the retry orientated nature of email makes it much easier for a downgrade attacker to go unnoticed if he notes which domains downgrade attacks fail for and doesn't attempt them for that domain in future.
And then there is the whole issue of the CA model being not especially secure to start with. If you can receive unencrypted email targetted at a domain you can buy a SSL cert for that domain. So the CA model really only protects against a MITM on the sending side, not against one on the receiving side.
Don't get me wrong, I don't think these ISPs should be allowed to get away with pulling shit like this but equally transport encyrption of email should not be regarded as a high security soloution.
As this incident proves using a policy of "tls if available" has a serious security hole. An attacker can make encryption appear to be unavailable and then sniff the plaintext when the system sends without authentication or encryption.
Emails multihop nature makes it very difficult to ensure that all the hops are enforcing appropriate transport encryption and authentication. If you want your emails to be secure then you need to use end to end encryption.
Judging people by qualifications is a shortcut to assessing their actual ability. But if qualifications are unreliable, and cheating makes them unreliable, then we have to revert to actually assessing what people can do, and ultimately by methods that are not written exams: rather the throw-em-in-the-deep-end sink-or-swim type tests. This takes more effort and resources, for no material gain. Hence everybody loses.
Worse than that is isn't always practical. If you have 100 times more applicants than positions then you will have to prefilter somehow before you get into the intensive selection process. Even with rampant cheating exam results are likely to be positively correlated with ability and therefore likely to be used as a prefilter.
Which in an environment where cheating is rampant makes life very difficult for honest students:(
You can connect the Pi to a DVI display with a passive adaptor. At least round here you can pick up used 1280x1024 DVI monitors pretty cheap (sometimes even free) which will be a massively better experiance than a composite display.
BTW the A+ and B+ do still have composite, it just shares a connector with the analog audio now.
On the plus side multiple accessible USBs (one of which can be used for a wifi module if desired). On the downside much weaker CPU, no evidence of a GPU or video output at all
You do not have to install gnome3 on Debian, I don't.
True but if you were running a squeeze (or early wheezy-testing) system with gnome2 and upgraded to wheezy (to get newer kernel, newer apps etc) you would end up with a radially different user environment with no easy way back.
There was a fork of gnome2 but due to politics it didn't make it into debian until jessie (though it was available from unofficial repos earlier) and you still have to manually rip the gnome components off and replace them with their forks.
In a proper community people's jobs are specialized. If you hire someone to build a house for you you don't tell him tools from which manufacturer to use in construction
You absoloutely tell him what you want the walls made out of and where you want them, where you want the electrical accessories, what type of heating system you want and where you want ht bits of it, and so-on. All of those things are discussed between you and and your architect and submitted to planning/building regs for approval before the builder is hired.
You don't specify the brand of the tools but you strongly imply the types of tools to be used by the descisions you make. The level of minutae you go into depends on the particular building project, for a house what I mentioned is probablly most of what is on the plans, for something more critical you will likely have a higher level of detail.
At least that's how it's done round these parts.
likewise you don't tell which initsystem/DE a distro maintainer should use
If you are funding development of the distro you absoloutely should tell those things.
If you aren't paying then you can't directly dictate but you absoloutely can and should complain loudly if they make descisions you think are crap. If they ignore you and you can get sufficient developers to agree with you then a fork or derivative may be in order.
or which IDE/editor/compiler a developer should use.
You probablly don't care too much about the IDE/editor choice but if the project will have any longivity you absoloutely should be caring about (this may mean you dictate or it may mean you just sanity check depending on the situation) the choice of language, compiler, libararies and other things that will impact the long term maintenance, portability and overall viability of the software.
I disagree strongly about this being an "implementation detail", IMO it's a question of fundamental strategy. What this GR really comes down to is when the choice comes down to denying admins the choice in init systems or refusing new upstream versions bevause systemd's tendrils have dug too deep in the upstream project which side should Debian take?
If such transfers became a significant problem I imagine it would not be difficult to deploy countermeasures that would make them significantly harder (such as binding the device to the cars ECU by VIN or similar)
That works against a crude audio bug which is transmitting continuously at a fairly consistent level.
It's likely to be much less effective against a location bug that transmits periodically in very short bursts and possibly only when significant movement is detected.
If you define "escape" as "earths gravity has absoloutely no effect anymore " and you assume that relativity will perfectly match reality in all scenarios then you are correct.
On the other hand if you define "escape" as "the impact of earths gravity negligable compared to the impact of other cellestial bodies" or even "the impact of earths gravity is too small to measure" then "escape" is certainly possible.
I don't think jet fuel requires any more special handling than other similar fuels.
The advantage of something like jet fuel or diesel is it's already being distributed in large quantities. So those hazardous material handling costs are amortised over a much large volume of fuel. Whereas if you have a special (but similarly hazardous) fuel with higher purity or different additives those costs are spread over a much smaller volume.
Despite the substantial presense of scammers it's clear that some ASICs have made it to customers.
Also theres suspicion that the reason many ASIC devices were delayed until they were no longer profitable was because the makers were mining themselves rather than fulfilling orders.
There have also been reports of some big bitcoin mining operatinons starting up, possiblly big enough to bypass the bullshit and get their own chips made.
Machines with windows 7 (usually 7 pro installed as a downgrade from 8 pro) are still available at the moment if you plan ahead know what to look for.
OTOH if you don't plan ahead and just go to the shops and buy a computer then things are far less rosy. The non-pro editions (what you will likely get retail) don't come with downgrade rights and AIUI neither do the retail/retail upgrade versions of the pro editions.
So if you get a machine with non-pro windows 8 and want to downgrade then AIUI your only options are buying a complete new copy or windows 7 (which AIUI are no longer being made so will become harder and harder to find) or setting up a volume license agreement and buying an upgrade to pro under that agreement.
Your own experience is unlikely to be a reliable barometer of what's happening in Munich, Shanghai or Addis Ababa...
True but I wouldn't take their numbers as reliable either. The honest truth is that noone has a real picture of usage share.
From their FAQ (emphasis mine)
"Net Market Share data is an aggregation the traffic of all of our HitsLink clients, but instead of counting pageviews we count daily unique visitors. A daily unique visitor is counted only once per day per website we track"
So it seems machines that are used to view a wide range of different websites get counted many times. Machines that are only used to view a handful of websites will likely be counted far less or not at all and machines that aren't used on the web at all definately won't be counted.
Have a corporate/school-issued (volume license) computer with Win8 installed? Your IT folks will have to re-image it for Win8.1.
You don't have to go as far as re-imaging you can upgrade in place but it isn't automatic, you will need the media and activation related steps will also need to be taken (AIUI if you are using KMS the KMS server needs to be updated, if using MAK you will need to install a new key on the individual machine)
And yes I do think producing something that was support/updates wise (and I think but i'm not positive licensing wise) treated as a service pack but activation wise treated as a new version was a mean thing for MS to do. I guess they did it in one of their futile attempts to make life harder for pirates.
#1: Basic insurance is required to drive your vehicle on public roads.
All you need to legally drive your vehicle on the road is third party liability insurance. You do not need coverage against fire and theft and you do not need coverage against damage you cause to yourself and your own vehicle.
#2: Insurers can refuse to insure some vehicles, or set the price such that no one is going to try to insure it anyway.
They can but there are a lot of insurers out there. If a rational risk analysis says there is money to be made then it's likely someone will insure it. At least the freely accessible bits of TFA don't make it clear if he was denies third party insurance or only denied insurance policies which included theft cover. It also doesn't make it clear how widely he searched (another article I found which may or may not be about the same person claims he later found insurance from another provider).
Banknotes do have serial numbers but cashiers don't check and record them whenever a banknote enters or leaves the till. AIUI coins don't have serial numbers at all.
So there is some ability to trace but it's going to be high effort and imprecise for small transactions (for large transactions there are reporting requirements which make it tracable). Whereas with electronic transactions it's trivial for them to get a list of all your transactions and/or all the transactions at a given merchant location and time..
Here in the UK if you have an overdraft you start paying interest (and sometimes fees) as soon as you go negative. If you have a credit card then as long as you pay it off in full each month you pay no interest. Some merchants charge extra for using credit cards but most don't. Some cards have a fee just to have the card but again most don't. So you can effectively push a substantial chunk of your expenses a month into the future at no charge. Sometimes you can even get perks for doing so.
Carrying a balance on a credit card on the other hand is for suckers and the desperate.
Slashdot Mirror
The problem is it takes time to ramp up and down production so supply in the short term is fixed, this means that the price can swing much higher (bad for consumers) or lower (bad for producers) than the long term stable level.
Customers were using transport encryption on an "if available" basis.
The ISPs did something that made the transport encyrption unavailable and so the customers systems fell back to sending unencrypted. Maybe they deliberately attacked it. Maybe they put in a rule to redirect mail through their smarthost for some reason (likely spam related) and ended up disabling encryption is a side affect.
Had the customers used end to end encryption they would have been unaffected. Had the customers been using transport encryption with proper authentication (which is possible but problematic to do for email if all parties cooperate) then things would have stopped working until the problem was sorted out/worked arround.
Is it bad that ISPs are messing with their customers communications in this way? yes!
Is it bad that many areas have an effective ISP monopoly which makes it harder to take buisness away from ISPs who pull this shit? yes!
Is it a good idea to use encryption systems that are this vulnerable for stuff that needs to be kept secret? no!
The planning for this mission was started 30 years ago - in 1984;
Do you have a source for that claim? googling Philae 1984 doesn't seem to turn up anything relavent.
Imagine that - the IBM PC with its 16 KB of RAM was advanced
The XT which came with 64K as standard and supported 256KB on the motherboard (and 640K through add-in cards) was released in 1983.
I suspect that when they say "credit card information" they will actually include information for other types of payment card as well.
If you configure your mailserver to only talk to servers that advertise TLS with a valid cert you will cut yourself off from most of the internet. So what you would actually have to do is configure your server to add special cases for the domains you want secure communication with. Make a typo in those special cases so they don't match the domain they were intended to match and you are back to the original problem of being vulnerable to "downgrade to plaintext" attacks.
And even if you ensure the next hop after your mailserver in encrypted and authenticated you have no gaurantee that later hops (for example backup MX to main MX or mail download by receiving client) are encrypted.
Worse the retry orientated nature of email makes it much easier for a downgrade attacker to go unnoticed if he notes which domains downgrade attacks fail for and doesn't attempt them for that domain in future.
And then there is the whole issue of the CA model being not especially secure to start with. If you can receive unencrypted email targetted at a domain you can buy a SSL cert for that domain. So the CA model really only protects against a MITM on the sending side, not against one on the receiving side.
Don't get me wrong, I don't think these ISPs should be allowed to get away with pulling shit like this but equally transport encyrption of email should not be regarded as a high security soloution.
It's just as secure as everything else.
As this incident proves using a policy of "tls if available" has a serious security hole. An attacker can make encryption appear to be unavailable and then sniff the plaintext when the system sends without authentication or encryption.
Emails multihop nature makes it very difficult to ensure that all the hops are enforcing appropriate transport encryption and authentication. If you want your emails to be secure then you need to use end to end encryption.
Judging people by qualifications is a shortcut to assessing their actual ability. But if qualifications are unreliable, and cheating makes them unreliable, then we have to revert to actually assessing what people can do, and ultimately by methods that are not written exams: rather the throw-em-in-the-deep-end sink-or-swim type tests. This takes more effort and resources, for no material gain. Hence everybody loses.
Worse than that is isn't always practical. If you have 100 times more applicants than positions then you will have to prefilter somehow before you get into the intensive selection process. Even with rampant cheating exam results are likely to be positively correlated with ability and therefore likely to be used as a prefilter.
Which in an environment where cheating is rampant makes life very difficult for honest students :(
You can connect the Pi to a DVI display with a passive adaptor. At least round here you can pick up used 1280x1024 DVI monitors pretty cheap (sometimes even free) which will be a massively better experiance than a composite display.
BTW the A+ and B+ do still have composite, it just shares a connector with the analog audio now.
On the plus side multiple accessible USBs (one of which can be used for a wifi module if desired). On the downside much weaker CPU, no evidence of a GPU or video output at all
A couple of nitpicks on your post.
Documentation. For 99.999% of people, there is perfectly good documentation,
The docs are pretty poor though, for example there is no proper documentation on the electrical characteristics of the IO pins.
and for those of a particularly masochistic bent, you have the full GPU documentation to play with.
Depends how you define "GPU", theres docuementation for the 3D core but not for many other blocks.
You do not have to install gnome3 on Debian, I don't.
True but if you were running a squeeze (or early wheezy-testing) system with gnome2 and upgraded to wheezy (to get newer kernel, newer apps etc) you would end up with a radially different user environment with no easy way back.
There was a fork of gnome2 but due to politics it didn't make it into debian until jessie (though it was available from unofficial repos earlier) and you still have to manually rip the gnome components off and replace them with their forks.
In a proper community people's jobs are specialized. If you hire someone to build a house for you you don't tell him tools from which manufacturer to use in construction
You absoloutely tell him what you want the walls made out of and where you want them, where you want the electrical accessories, what type of heating system you want and where you want ht bits of it, and so-on. All of those things are discussed between you and and your architect and submitted to planning/building regs for approval before the builder is hired.
You don't specify the brand of the tools but you strongly imply the types of tools to be used by the descisions you make. The level of minutae you go into depends on the particular building project, for a house what I mentioned is probablly most of what is on the plans, for something more critical you will likely have a higher level of detail.
At least that's how it's done round these parts.
likewise you don't tell which initsystem/DE a distro maintainer should use
If you are funding development of the distro you absoloutely should tell those things.
If you aren't paying then you can't directly dictate but you absoloutely can and should complain loudly if they make descisions you think are crap. If they ignore you and you can get sufficient developers to agree with you then a fork or derivative may be in order.
or which IDE/editor/compiler a developer should use.
You probablly don't care too much about the IDE/editor choice but if the project will have any longivity you absoloutely should be caring about (this may mean you dictate or it may mean you just sanity check depending on the situation) the choice of language, compiler, libararies and other things that will impact the long term maintenance, portability and overall viability of the software.
I disagree strongly about this being an "implementation detail", IMO it's a question of fundamental strategy. What this GR really comes down to is when the choice comes down to denying admins the choice in init systems or refusing new upstream versions bevause systemd's tendrils have dug too deep in the upstream project which side should Debian take?
If such transfers became a significant problem I imagine it would not be difficult to deploy countermeasures that would make them significantly harder (such as binding the device to the cars ECU by VIN or similar)
That works against a crude audio bug which is transmitting continuously at a fairly consistent level.
It's likely to be much less effective against a location bug that transmits periodically in very short bursts and possibly only when significant movement is detected.
If you define "escape" as "earths gravity has absoloutely no effect anymore " and you assume that relativity will perfectly match reality in all scenarios then you are correct.
On the other hand if you define "escape" as "the impact of earths gravity negligable compared to the impact of other cellestial bodies" or even "the impact of earths gravity is too small to measure" then "escape" is certainly possible.
So what if any precautions would you take for jet fuel that you wouldn't take for say petrol or methanol or other common flammable liquids?
I don't think jet fuel requires any more special handling than other similar fuels.
The advantage of something like jet fuel or diesel is it's already being distributed in large quantities. So those hazardous material handling costs are amortised over a much large volume of fuel. Whereas if you have a special (but similarly hazardous) fuel with higher purity or different additives those costs are spread over a much smaller volume.
Despite the substantial presense of scammers it's clear that some ASICs have made it to customers.
Also theres suspicion that the reason many ASIC devices were delayed until they were no longer profitable was because the makers were mining themselves rather than fulfilling orders.
There have also been reports of some big bitcoin mining operatinons starting up, possiblly big enough to bypass the bullshit and get their own chips made.
Machines with windows 7 (usually 7 pro installed as a downgrade from 8 pro) are still available at the moment if you plan ahead know what to look for.
OTOH if you don't plan ahead and just go to the shops and buy a computer then things are far less rosy. The non-pro editions (what you will likely get retail) don't come with downgrade rights and AIUI neither do the retail/retail upgrade versions of the pro editions.
So if you get a machine with non-pro windows 8 and want to downgrade then AIUI your only options are buying a complete new copy or windows 7 (which AIUI are no longer being made so will become harder and harder to find) or setting up a volume license agreement and buying an upgrade to pro under that agreement.
Your own experience is unlikely to be a reliable barometer of what's happening in Munich, Shanghai or Addis Ababa ...
True but I wouldn't take their numbers as reliable either. The honest truth is that noone has a real picture of usage share.
From their FAQ (emphasis mine)
"Net Market Share data is an aggregation the traffic of all of our HitsLink clients, but instead of counting pageviews we count daily unique visitors. A daily unique visitor is counted only once per day per website we track"
So it seems machines that are used to view a wide range of different websites get counted many times. Machines that are only used to view a handful of websites will likely be counted far less or not at all and machines that aren't used on the web at all definately won't be counted.
Have a corporate/school-issued (volume license) computer with Win8 installed? Your IT folks will have to re-image it for Win8.1.
You don't have to go as far as re-imaging you can upgrade in place but it isn't automatic, you will need the media and activation related steps will also need to be taken (AIUI if you are using KMS the KMS server needs to be updated, if using MAK you will need to install a new key on the individual machine)
And yes I do think producing something that was support/updates wise (and I think but i'm not positive licensing wise) treated as a service pack but activation wise treated as a new version was a mean thing for MS to do. I guess they did it in one of their futile attempts to make life harder for pirates.
#1: Basic insurance is required to drive your vehicle on public roads.
All you need to legally drive your vehicle on the road is third party liability insurance. You do not need coverage against fire and theft and you do not need coverage against damage you cause to yourself and your own vehicle.
#2: Insurers can refuse to insure some vehicles, or set the price such that no one is going to try to insure it anyway.
They can but there are a lot of insurers out there. If a rational risk analysis says there is money to be made then it's likely someone will insure it. At least the freely accessible bits of TFA don't make it clear if he was denies third party insurance or only denied insurance policies which included theft cover. It also doesn't make it clear how widely he searched (another article I found which may or may not be about the same person claims he later found insurance from another provider).
Banknotes do have serial numbers but cashiers don't check and record them whenever a banknote enters or leaves the till. AIUI coins don't have serial numbers at all.
So there is some ability to trace but it's going to be high effort and imprecise for small transactions (for large transactions there are reporting requirements which make it tracable). Whereas with electronic transactions it's trivial for them to get a list of all your transactions and/or all the transactions at a given merchant location and time..
Here in the UK if you have an overdraft you start paying interest (and sometimes fees) as soon as you go negative. If you have a credit card then as long as you pay it off in full each month you pay no interest. Some merchants charge extra for using credit cards but most don't. Some cards have a fee just to have the card but again most don't. So you can effectively push a substantial chunk of your expenses a month into the future at no charge. Sometimes you can even get perks for doing so.
Carrying a balance on a credit card on the other hand is for suckers and the desperate.