You can't really lock the other exits. If you do, you are probably violating fire code in almost any place in the United States. A locked exit means someone burns up (maybe) in a fire. You can put signs on the other exits saying "Use only in emergency", and you can even alarm the other exits (this is pretty common in public halls, I think), but you cannot actually lock them to prevent them from being opened.
"You have to combine this with "someone" standing at the door checking the sheets... and going through people's bags so they can't just walk out. This doesn't have to be a security guard, it could just be a volunteer. At Quakecon they have a combination of both real (off-duty) Cops and Volunteers.
Finally, as others have mentioned... make sure there is only _one_ way in and out of the area with hardware in it. Lock all other doors and put up signs saying that there will be penalties for opening any non-official doors."
Until someone pulls the fire-alarm and then people scramble for the nearest exit. If a fire alarm is pulled, you can't stop people from exiting the building through any available entrance, and you can't make them wait for an inspection. So, all the thief has to do is grab some gear, then pull the fire alarm (or maybe, the other way around).
This isn't about law. This is about the Olympics. At the Olympics, the IOC has the final word on who gets a gold medal, and who doesn't. The 'laws' which are alleged to have been violated are the rules of the IOC, not the rules of Chinese law. What could be done about it is to disqualify the Chinese gymnast, and take away any gold medals which were awarded to her. That would be pretty extreme, and as you say, I doubt that will be done, because China would, as you say, just deny any evidence that she is too young, and brush it off as a clerical error which has been 'corrected'.
When Nadia won at 14, I believe that 14 was a legal age. The point is, the rules changed, and under the *current* rules, 14 year olds are not allowed to compete. There is a very real reason for that - this should be *womens* gymnastics at the Olympics, not pre-pubescent girls gymnastics. Sure, 14 year olds can do gymnastics. That's not the point. The point is, post-puberty women with hips, butts, and busts, who might weigh 100 to 150 pounds are at a severe disadvantage to compete against girls who weigh 60 or 70 pounds and have their body mass distributed more symmetrically.
I suppose the counter argument to that is, no matter what age you limit it to, you can find older women who have body types which are less developed, and so they will still have the advantage, so what's the point, really?
I might be missing something here, but this article proposes, as a way of trying to make the management of keys/certs easier (which is necessary to implement the client-side certs), to use this "SecureAuth" system. . . which downloads an SSL cert to your computer. So. . . uhh, why can't an attacker intercept this? Well, the answer seems to be (maybe I'm misunderstanding here) that before the SecureAuth system will download the cert to you, it sends you some sort of one-time-password via phone or SMS, which you must enter to get the key . . . but once you've typed in this one time password you got by phone, what prevents the MITM from intercepting that passsword the exact same way it would have been attacking the other one-time-password generated by the keychain fob, and therefor be able to impersonate you to the SecureAuth server and get the client cert which should have been sent to you?
Flash mostly works for me ( Ubuntu Hardy Heron ), but I occasionally see spontaneous browser crashes when watching videos on hulu.com. There's also this wierd thing (I think it's a Firefox 3 compatibility issue because I didn't have this problem until Ubuntu upgraded FF2 to FF3) where when I try to enter Full Screen mode in their video player, and it actually does go fullscreen for about 1 second, then automatically 'collapses' back to non-fullscreen viewing mode (where it's embedded in the web page).
Neither are major problems, but are minor irritants.
Negative book reviews are as worthwhile as glowing positive book reviews - they help me try to figure out what might and might not be worth reading in a world of a billion books, where I certainly don't have time to read more than a tiny minority of extant works.
If I ever see "The Lost Blogs" in the Library or a bookstore, now I'll know it might be a good idea to skip it.
If you have the ability to 'eavesdrop' on my connection to the server (which you would likely need to grab my clear text ftp password), then you already have my *encrypted data*. While there still might be some benefit to people not being able to snag your password, it's only that they cannot upload stuff to your account or delete stuff on your account (which would be bad). As far as *getting your data*, SCP/SFTP provides no additional protection over encrypting your data with another program and uploading the encrypted data to your server.
All SSH/SCP do is encrypt your traffic during transmission. The file data is decrypted on either end of the transfer. It sounds like this guy is looking for a solution that encrypts the files *before* transmission, and keeps them encrypted on the ftp server. If you encrypt the files before transmission, they are then also encrypted *during* transmission. So, what this guy wants is actually *more* secure than SFTP because the data remains encrypted in storage on the ftp server.
What's wrong with that?
I can think of a few individual tools that could be used together to form a solution for this type of thing, but I think this guy is looking for an all-in-one tool to do this automatically (something I've also kind of wished for - sometimes you just want something that will individually encrypt files [not a zip or tar type archive file, or a truecrypt style encrypted virtual-drive, because if a single file changes, you have to upload the entire archive again], and upload new versions of only files which have changed since the last backup, automatically. It would be very nice to have something like that to use with all of the online-backup services out there which are like $5 or $10 a month, and which you don't really want to trust with unencrypted data.
This is not an Oxymoron, this is a perfectly legitimate problem for which it seems like a solution *should* exist. I've not found it yet, though. I, too, would love to hear about such a solution that is also open source (I've seen a few proprietary systems which might have been able to do this).
In my previous post I mentioned the issue of connecting old hardware to newer hosts, but you also have to consider the other way too. . .
If they implemented USB 3 in a similar fashion to USB 2, the new hardware is backwards compatible with older USB hosts, back to version 1.0. Sure, it'll be slow on version 1.0 (in the case of something like an HDTV Tuner, it might have to downconvert the video stream to lower resolution when connected to a slower host), and even on 2.0 it'll be slower than it would if connected to 3.0 (though for a lot of devices, 2.0 is at least fast enough to be useful), but backwards compatibility is a huge market win. It means that as a device maker, I'm not limiting my market to only the people with the latest and greatest hardware - the hardware can gracefully 'downgrade' to work with the huge number of computers that have USB 2.0 and 1.0 but not 3.0 yet.
Backwards compatibility is both good business and good engineering (when possible; it's true that in some cases, the cost of backwards compatibility could be so high that it does not make economic sense to bother, but I don't think with something like USB that tends to be a 'blocking' level problem).
Don't have time to read the article, but historically one of the advantages of USB has been that almost any perpipheral, high speed, or low speed, can be plugged into the same type of connector, so users don't have to worry about which plug to plug the keyboard into, which for the mouse, which for an external hard drive, camera, thumb drive, etc. That is the real beauty of USB - the 'universal plug'. Which is one reason I'm worried about an 'optical' version of USB - because that would seem to require a new plug type which I suspect would not be backwards compatible?
I *hope* that 'tweaked' USB 3 connector is backwards compatible with older USb connectors and hardware, so you can still plug the keyboard, printer, mouse, scanner, etc into it, *but also* plug in future high speed hard drives, network adapters, HDTV tuners, blu-ray burner drives, etc. I really like the idea of a universal plug for everything. It makes computers so much simpler to work with.
That's part of why I don't like the idea of e-SATA - unless I'm mistaken (haven't looked much at eSATA yet) it's introducing a new interface type which is basically not compatible with USB, requiring a differing plug.
I can think of at least a few reasons why one might go on such a show, that wouldn't be a complete waste of time:
* Seed planting - You might have the opportunity to make a statement to that audience - a claim, a promise, whatever, which people might disagree with at the time, but you are on record as having said it, and that audience may well remember it in the future, for good or bad (good would be if time proves you right, bad would be if time proves you to be a fool). You say that only time and experience will change their minds. Part of the process of 'experience' is hearing someone say something that you disagree with, then having them proven right in the future. So maybe you appear now not for a short term benefit, but perhaps for a longer term benefit.
* Positioning - If a candidate is perceived as very conservative, or very liberal, they can use appearances on moderately liberal or moderately conervative shows as an opportunity to make announcements about new positions/policies, or a change of previous position, to try to attempt to reposition themselves more to the center. In that case you are not trying to change the audience's mind about something you and they disagree on, but instead trying to find a common ground with that audience.
If you are using the key file to protect, say a TrueCrypt file on your hard drive, the key file itself is on your hard drive, and someone has access to your computer, you're right. That someone has everything they need to pretty quickly (on order of hours or maybe days at best) get into your TrueCrypt drive. But, let's say you are using that md5sum to instead protect your login for a VPN or secure website. The attacker does not have access to your computer, so they don't know what files to test against. Further, the remote server might lock the account after 10 failed tries (or whatever). Of course, arguably, in such a scenario, you don't even need a password that is close to this strong - since they only get 5 or 10 tries before the account gets locked, a relatively weak password might be sufficient.
For something like a truecrypt volume, or any other system where an attacker can get potentially an unlimited number of tries, and can try a very large number of permutations very quickly, I think a keyfile is a pretty bad idea, unless the key file in on removable storage like a USB key or CD - and then that does still always leave the problem of losing (or having stolen) the media.
Personally, I favor mnemonic-device password generation techniques - things like deriving a password from the lyrics of a song, poem, or a favorite passage from a book (which you haven't advertised to the world, of course), etc. They may not produce the strongest possible passwords, but you should be able to generate something sufficiently strong to slow most attackers down.
According to the link you posted, Cryptic is still developing the MMO, it just is no longer going to be a Marvel-licensed product. It still shows up on the Cryptic Website (Champions Online is the working title). Still, now that they have something else to work on, where they don't have to directly compete with their past success, they may well decide to stop or defer the Champions project. I think if I were a developer, I'd rather work on a Star Trek MMO, which would tap a basically untapped market (Star Trek fans), instead of a market I already tapped in the past (Super Hero fans) and which still is running succesfully.
Although, there is something to be said for the idea that the market probably could use a successor to CoH. I've been playing it for over 3 years, but, honestly, it might be nice to play something super-hero themed, but which uses completely different game mechanics - just something new and fresh.
I've wondered this before. If you don't secure your network somehow, and someone else uses it to commit crimes, can you be held liable? For all the police know, it was you using the network. Does this provide sufficient 'reasonable doubt' as to require the police/prosecutors to have to prove it was actually you using the network at the time?
I think the reason for this article is to let people know that Star Trek Online, as a project, isn't dead. STO was actually announced like 3 years ago or something like that, and at the time was being developed by a company called, IIRC, Perpetual Entertainment. I don't know what the story is with that company, but basically the license got yanked from them like 6 months ago or something, and these announcements are just to let people know that the project hasn't been completely scrapped. But, it's gonna be another 3 years or something before it's released.
Personally, I'm a little worried - Cryptic did a decent job with City of Heroes/City of Villains, but now they are trying to simultaneously develop 2 or 3 different MMOGs (one for Marvel which will compete [or, maybe, really, replace - sort of CoH 2] with their earlier CoH franchise), this Star Trek MMO, and they have artwork up on their website which suggests they have a 3rd product in development which hasn't ever been announced (they have some screenshots depicting modern/futuristic soldiers attacking fantasy-themed monsters with guns).
Seems to me like with that much on their plate, *something* has to get the axe, or just be crap because they don't have enough experienced people working on it. I hope I'm wrong, but it always seems when companies try to do more than one MMORPG at a time, it just doesn't work.
"Star Wars Galaxies had lots of bugs to be sure but the major gripe was that it just wasn't Star Wars. For me the real killer was that Storm Troopers were insanely hard to kill while of course in the movies they die if you sneeze at them. I am also fairly sure Luke Skywalker never spend time beating up bunnies to get his knife skill up to scratch or mastered a dozen proffesions before becoming a Jedi."
MMORPG's will *never* be like movies? Why? Because movies are designed to be over in 2-3 hours, while MMORPGs are designed to keep you subscribed for as many months as possible. Without grinding, why would you stay subscribed to the game, paying $14+/mo (man, inflation sucks - I remember once upon a time paying about $10/mo for MMORPGs, but every year or two, like clockwork, prices seem to go up about $1/mo, so I would totally expect the Star Trek MMO to be about $16/mo.
But, there you have it. The business models of movies and MMORPG's are so different that you can't ever expect a 'cinematic' experience from an MMOG. People wouldn't watch a movie that consisted of 3/hrs a day for 1 month of watching Han Solo and Luke Skywalker killing various fauna before they ever started taking on the Empire, followed by 3-4 months of missions against the Empire, wherein a small group of 2 or 3 of them kill, over time, about 100,000 storm troopers and imperial navy goons.
I've thought about doing something like this once or twice, but I have to wonder if, post-9/11, would FAA/TSA regs even allow this? I imagine government types like everything to match up nicely. Aircraft passenger manifests matching with the reservation list in the computer, or else the passenger not on the flight at all.
I bet this guy could work out a deal with Apple where he keeps a small amount of the 'sale' price for this thing (maybe 49.99), and donates the rest to some worthy humanitarian organization(s). Then you turn Conspicuous Consumption into Conspicuous Donation. Let the rich guy or gal who insists on paying $1000 for an "I am rich" sign, and who obviously doesn't need the money, help out others. They still get their ego gratification, the poor people who need help get it, and the guy who thought it up makes a living.
I can see the point that people make about encryption to an un-verified certificate (like a self-signed) being, potentially 'false security', but I also think the main article has a sort of point to -
Mozilla has always warned users about self-signed certificates, but I've never liked the warning. I think they are poorly worded and confusing to people, and the latest incarnation is particularly obtuse.
There is a place for self-signed certificates, I think, there just needs to be a way to add those self-signed certs to users browsers in a better fashion. Self-signed certs are perfectly safe if you have some way to verify them 'out-of-band' - that's the tricky part.
I think the ultimate answer to this problem might rely as part of a secure DNS system. We've seen from the recent DNS cache poisoning vulnerability that the current version of the DNS protocol is starting to show it's age. Perhaps DNS needs to be re-designed to include cryptographic verification of the DNS chain, so that you can know you can trust data from DNS.
If you're defining a new version of DNS anyhow, it might be a perfect opportunity to make CAs less necessary, by allowing webmasters to put their self-signed cert into their DNS records (or maybe, that might add too much data to DNS requests, but you could at least add a secure hash so that the browser could verify the cert that the web server passes it, against the DNS record for that domain). I think there might still be a place for CAs for giving additional verification (e.g. DNS would just allow you to know you were getting the right certificate for that domain, CAs can maybe do additional verifications to make sure that the organization that owns a particular domain and SSL Cert really is who they claim to be, maybe?)
Let every DNS record be its own Certificate Authority.
"Removing stuff that you don't use or ever want to use is not exactly going to screw up your box. In real open source stuff, source code is edited ALL the time."
Yeah, the thing is, I never got a response, as far as I can tell, from one of the V-Box developers as to the correct way to fix this. I commented out two lines based on two comments, from two different people, both of whom seemed to just be struggling with the same problem I was and they said, well, these two lines caused the compile error, so we commented them out and it compiles, and appears to work correctly.
My point is that, I am a beginning programmer at best - I understand basic C/C++ syntax. The only help I was able to get building the software is by commenting out lines that I don't know what the true impact of commenting it out will do, by people who didn't appear to be VBox developers and I'm not confident they truly know whether that 'fix' is safe or not. The example I gave about the Debian developer was because, while I might have been a little confused about the exact changes made to OpenSSL, I knew that basically two lines in OpenSSL were changed, and changing those two lines broke OpenSSL, but broke it in such a way that it compiled fine, and appeared to run correctly, but didn't really. How do I know that I haven't built VirtualBox with some similarly subtle problem that isn't obvious, but is critical?
I had to do this because the core VirtualBox developers didn't release code that was buildable based on their build isntructions, which brings me to my next reply. . .
"And complaining about "does not compile on Visual C++" is kind of dumb. Visual C++ is not the same compiler as GCC. GCC has different extensions, has better support for lots of C++ crap. The world does not revolve around MSVS.NET 2008."
I never complained, exactly, that it doesn't build on Visual C++ - I followed the oficial VBox instructions to the letter, which REQUIRE me to use Visual C++ and the GCC port from the MinGW project(although, to be fair, I suppose it might not be up to date with the latest features of GCC - it could be based on an older version). I would have *preferred* if it built entirely with GCC, but, I suspect that VBox developers are forced to use VC++ for certain code which interacts tightly with the Windows O/S.
Anyhow, the Sun developers somehow got it to build for their non-GPL binaries just fine. I very strongly suspect this is not a Visual C++ error as you attribute it. You know why? Because the code that failed to compile had something to do with USB (I don't know what exactly, but it definitely mentions USB in the function names), and the Open Source Edition is not supposed to *have* the USB support built into it. I think one of the developers forgot to do something while 'cutting out' the USB functionality from the GPL code-base. I will give them the benefit of the doubt that this was a mistake, and not intentional, but how hard can it be to setup a 'clean' computer and follow the same build instructions that you put up on your website, to make sure the source tree builds? Granted, they have no legal obligation to do so, but it certainly wins them no friends.
I'm glad they released the source code as GPL, don't get me wrong, but it just seems awefully suspicious that the binaries are not GPL and simultaneously, the official source release won't build when you follow their exact build instructions, putting all the software they say you need, on your computer. Again, it could be an honest mistake, but it gives the appearance of trying to make it difficult for other people to get the OSE built and running instead of the 'official' version.
Linux 0.1 not building isn't a valid comparison here, because VirtualBox is actually a pretty mature product, whereas that was a brand new project that was *only* intended for developer use until it could become more mature.
The "Search" might be reasonable, but seizing and never returning a laptop when no crime has been shown to be committed cannot possibly be within anyone's definition of reasonable. Take the laptop, search it, give it back if nothing illegal is found. I mean, sure, if they find kiddie porn, or JihadSuicideMission.doc, by all means, take the laptop as evidence. But if nothing is found, how can it be constitutional for them to not return it within a reasonable period of time?
I think the 4th Ammendment implies a certain right to get your stuff back even if the search and seizure itself was legal, if no cause is subsequently found to keep it. Or, at least, the 5th Ammendment, as the GGP mentioned, which says the government may not take your stuff without a conviction. I surely think between the fourth and fifth ammendments, there's no argument that would allow the government to keep your stuff when no crime has been committed.
Still, the Constitution is only worth as much as the people who interpret/enforce it, and our government, sadly, currently views the Constitution as a hostile set of restrictions to justify going around, instead of a sworn duty to preserve and protect.
Slashdot Mirror
You can't really lock the other exits. If you do, you are probably violating fire code in almost any place in the United States. A locked exit means someone burns up (maybe) in a fire. You can put signs on the other exits saying "Use only in emergency", and you can even alarm the other exits (this is pretty common in public halls, I think), but you cannot actually lock them to prevent them from being opened.
"You have to combine this with "someone" standing at the door checking the sheets... and going through people's bags so they can't just walk out. This doesn't have to be a security guard, it could just be a volunteer. At Quakecon they have a combination of both real (off-duty) Cops and Volunteers.
Finally, as others have mentioned... make sure there is only _one_ way in and out of the area with hardware in it. Lock all other doors and put up signs saying that there will be penalties for opening any non-official doors."
Until someone pulls the fire-alarm and then people scramble for the nearest exit. If a fire alarm is pulled, you can't stop people from exiting the building through any available entrance, and you can't make them wait for an inspection. So, all the thief has to do is grab some gear, then pull the fire alarm (or maybe, the other way around).
This isn't about law. This is about the Olympics. At the Olympics, the IOC has the final word on who gets a gold medal, and who doesn't. The 'laws' which are alleged to have been violated are the rules of the IOC, not the rules of Chinese law. What could be done about it is to disqualify the Chinese gymnast, and take away any gold medals which were awarded to her. That would be pretty extreme, and as you say, I doubt that will be done, because China would, as you say, just deny any evidence that she is too young, and brush it off as a clerical error which has been 'corrected'.
When Nadia won at 14, I believe that 14 was a legal age. The point is, the rules changed, and under the *current* rules, 14 year olds are not allowed to compete. There is a very real reason for that - this should be *womens* gymnastics at the Olympics, not pre-pubescent girls gymnastics. Sure, 14 year olds can do gymnastics. That's not the point. The point is, post-puberty women with hips, butts, and busts, who might weigh 100 to 150 pounds are at a severe disadvantage to compete against girls who weigh 60 or 70 pounds and have their body mass distributed more symmetrically.
I suppose the counter argument to that is, no matter what age you limit it to, you can find older women who have body types which are less developed, and so they will still have the advantage, so what's the point, really?
The Streisand Effect.
I might be missing something here, but this article proposes, as a way of trying to make the management of keys/certs easier (which is necessary to implement the client-side certs), to use this "SecureAuth" system. . . which downloads an SSL cert to your computer. So. . . uhh, why can't an attacker intercept this? Well, the answer seems to be (maybe I'm misunderstanding here) that before the SecureAuth system will download the cert to you, it sends you some sort of one-time-password via phone or SMS, which you must enter to get the key . . . but once you've typed in this one time password you got by phone, what prevents the MITM from intercepting that passsword the exact same way it would have been attacking the other one-time-password generated by the keychain fob, and therefor be able to impersonate you to the SecureAuth server and get the client cert which should have been sent to you?
Flash mostly works for me ( Ubuntu Hardy Heron ), but I occasionally see spontaneous browser crashes when watching videos on hulu.com. There's also this wierd thing (I think it's a Firefox 3 compatibility issue because I didn't have this problem until Ubuntu upgraded FF2 to FF3) where when I try to enter Full Screen mode in their video player, and it actually does go fullscreen for about 1 second, then automatically 'collapses' back to non-fullscreen viewing mode (where it's embedded in the web page).
Neither are major problems, but are minor irritants.
Negative book reviews are as worthwhile as glowing positive book reviews - they help me try to figure out what might and might not be worth reading in a world of a billion books, where I certainly don't have time to read more than a tiny minority of extant works.
If I ever see "The Lost Blogs" in the Library or a bookstore, now I'll know it might be a good idea to skip it.
If you have the ability to 'eavesdrop' on my connection to the server (which you would likely need to grab my clear text ftp password), then you already have my *encrypted data*. While there still might be some benefit to people not being able to snag your password, it's only that they cannot upload stuff to your account or delete stuff on your account (which would be bad). As far as *getting your data*, SCP/SFTP provides no additional protection over encrypting your data with another program and uploading the encrypted data to your server.
Not really.
All SSH/SCP do is encrypt your traffic during transmission. The file data is decrypted on either end of the transfer. It sounds like this guy is looking for a solution that encrypts the files *before* transmission, and keeps them encrypted on the ftp server. If you encrypt the files before transmission, they are then also encrypted *during* transmission. So, what this guy wants is actually *more* secure than SFTP because the data remains encrypted in storage on the ftp server.
What's wrong with that?
I can think of a few individual tools that could be used together to form a solution for this type of thing, but I think this guy is looking for an all-in-one tool to do this automatically (something I've also kind of wished for - sometimes you just want something that will individually encrypt files [not a zip or tar type archive file, or a truecrypt style encrypted virtual-drive, because if a single file changes, you have to upload the entire archive again], and upload new versions of only files which have changed since the last backup, automatically. It would be very nice to have something like that to use with all of the online-backup services out there which are like $5 or $10 a month, and which you don't really want to trust with unencrypted data.
This is not an Oxymoron, this is a perfectly legitimate problem for which it seems like a solution *should* exist. I've not found it yet, though. I, too, would love to hear about such a solution that is also open source (I've seen a few proprietary systems which might have been able to do this).
In my previous post I mentioned the issue of connecting old hardware to newer hosts, but you also have to consider the other way too. . .
If they implemented USB 3 in a similar fashion to USB 2, the new hardware is backwards compatible with older USB hosts, back to version 1.0. Sure, it'll be slow on version 1.0 (in the case of something like an HDTV Tuner, it might have to downconvert the video stream to lower resolution when connected to a slower host), and even on 2.0 it'll be slower than it would if connected to 3.0 (though for a lot of devices, 2.0 is at least fast enough to be useful), but backwards compatibility is a huge market win. It means that as a device maker, I'm not limiting my market to only the people with the latest and greatest hardware - the hardware can gracefully 'downgrade' to work with the huge number of computers that have USB 2.0 and 1.0 but not 3.0 yet.
Backwards compatibility is both good business and good engineering (when possible; it's true that in some cases, the cost of backwards compatibility could be so high that it does not make economic sense to bother, but I don't think with something like USB that tends to be a 'blocking' level problem).
Don't have time to read the article, but historically one of the advantages of USB has been that almost any perpipheral, high speed, or low speed, can be plugged into the same type of connector, so users don't have to worry about which plug to plug the keyboard into, which for the mouse, which for an external hard drive, camera, thumb drive, etc. That is the real beauty of USB - the 'universal plug'. Which is one reason I'm worried about an 'optical' version of USB - because that would seem to require a new plug type which I suspect would not be backwards compatible?
I *hope* that 'tweaked' USB 3 connector is backwards compatible with older USb connectors and hardware, so you can still plug the keyboard, printer, mouse, scanner, etc into it, *but also* plug in future high speed hard drives, network adapters, HDTV tuners, blu-ray burner drives, etc. I really like the idea of a universal plug for everything. It makes computers so much simpler to work with.
That's part of why I don't like the idea of e-SATA - unless I'm mistaken (haven't looked much at eSATA yet) it's introducing a new interface type which is basically not compatible with USB, requiring a differing plug.
I can think of at least a few reasons why one might go on such a show, that wouldn't be a complete waste of time:
* Seed planting - You might have the opportunity to make a statement to that audience - a claim, a promise, whatever, which people might disagree with at the time, but you are on record as having said it, and that audience may well remember it in the future, for good or bad (good would be if time proves you right, bad would be if time proves you to be a fool). You say that only time and experience will change their minds. Part of the process of 'experience' is hearing someone say something that you disagree with, then having them proven right in the future. So maybe you appear now not for a short term benefit, but perhaps for a longer term benefit.
* Positioning - If a candidate is perceived as very conservative, or very liberal, they can use appearances on moderately liberal or moderately conervative shows as an opportunity to make announcements about new positions/policies, or a change of previous position, to try to attempt to reposition themselves more to the center. In that case you are not trying to change the audience's mind about something you and they disagree on, but instead trying to find a common ground with that audience.
If you are using the key file to protect, say a TrueCrypt file on your hard drive, the key file itself is on your hard drive, and someone has access to your computer, you're right. That someone has everything they need to pretty quickly (on order of hours or maybe days at best) get into your TrueCrypt drive. But, let's say you are using that md5sum to instead protect your login for a VPN or secure website. The attacker does not have access to your computer, so they don't know what files to test against. Further, the remote server might lock the account after 10 failed tries (or whatever). Of course, arguably, in such a scenario, you don't even need a password that is close to this strong - since they only get 5 or 10 tries before the account gets locked, a relatively weak password might be sufficient.
For something like a truecrypt volume, or any other system where an attacker can get potentially an unlimited number of tries, and can try a very large number of permutations very quickly, I think a keyfile is a pretty bad idea, unless the key file in on removable storage like a USB key or CD - and then that does still always leave the problem of losing (or having stolen) the media.
Personally, I favor mnemonic-device password generation techniques - things like deriving a password from the lyrics of a song, poem, or a favorite passage from a book (which you haven't advertised to the world, of course), etc. They may not produce the strongest possible passwords, but you should be able to generate something sufficiently strong to slow most attackers down.
See, that's exactly why I *never* want to use biometric identification. I don't want to give anyone an *incentive* to cut off pieces of my body.
According to the link you posted, Cryptic is still developing the MMO, it just is no longer going to be a Marvel-licensed product. It still shows up on the Cryptic Website (Champions Online is the working title). Still, now that they have something else to work on, where they don't have to directly compete with their past success, they may well decide to stop or defer the Champions project. I think if I were a developer, I'd rather work on a Star Trek MMO, which would tap a basically untapped market (Star Trek fans), instead of a market I already tapped in the past (Super Hero fans) and which still is running succesfully.
Although, there is something to be said for the idea that the market probably could use a successor to CoH. I've been playing it for over 3 years, but, honestly, it might be nice to play something super-hero themed, but which uses completely different game mechanics - just something new and fresh.
I've wondered this before. If you don't secure your network somehow, and someone else uses it to commit crimes, can you be held liable? For all the police know, it was you using the network. Does this provide sufficient 'reasonable doubt' as to require the police/prosecutors to have to prove it was actually you using the network at the time?
I think the reason for this article is to let people know that Star Trek Online, as a project, isn't dead. STO was actually announced like 3 years ago or something like that, and at the time was being developed by a company called, IIRC, Perpetual Entertainment. I don't know what the story is with that company, but basically the license got yanked from them like 6 months ago or something, and these announcements are just to let people know that the project hasn't been completely scrapped. But, it's gonna be another 3 years or something before it's released.
Personally, I'm a little worried - Cryptic did a decent job with City of Heroes/City of Villains, but now they are trying to simultaneously develop 2 or 3 different MMOGs (one for Marvel which will compete [or, maybe, really, replace - sort of CoH 2] with their earlier CoH franchise), this Star Trek MMO, and they have artwork up on their website which suggests they have a 3rd product in development which hasn't ever been announced (they have some screenshots depicting modern/futuristic soldiers attacking fantasy-themed monsters with guns).
Seems to me like with that much on their plate, *something* has to get the axe, or just be crap because they don't have enough experienced people working on it. I hope I'm wrong, but it always seems when companies try to do more than one MMORPG at a time, it just doesn't work.
"Star Wars Galaxies had lots of bugs to be sure but the major gripe was that it just wasn't Star Wars. For me the real killer was that Storm Troopers were insanely hard to kill while of course in the movies they die if you sneeze at them. I am also fairly sure Luke Skywalker never spend time beating up bunnies to get his knife skill up to scratch or mastered a dozen proffesions before becoming a Jedi."
MMORPG's will *never* be like movies? Why? Because movies are designed to be over in 2-3 hours, while MMORPGs are designed to keep you subscribed for as many months as possible. Without grinding, why would you stay subscribed to the game, paying $14+/mo (man, inflation sucks - I remember once upon a time paying about $10/mo for MMORPGs, but every year or two, like clockwork, prices seem to go up about $1/mo, so I would totally expect the Star Trek MMO to be about $16/mo.
But, there you have it. The business models of movies and MMORPG's are so different that you can't ever expect a 'cinematic' experience from an MMOG. People wouldn't watch a movie that consisted of 3/hrs a day for 1 month of watching Han Solo and Luke Skywalker killing various fauna before they ever started taking on the Empire, followed by 3-4 months of missions against the Empire, wherein a small group of 2 or 3 of them kill, over time, about 100,000 storm troopers and imperial navy goons.
I've thought about doing something like this once or twice, but I have to wonder if, post-9/11, would FAA/TSA regs even allow this? I imagine government types like everything to match up nicely. Aircraft passenger manifests matching with the reservation list in the computer, or else the passenger not on the flight at all.
I bet this guy could work out a deal with Apple where he keeps a small amount of the 'sale' price for this thing (maybe 49.99), and donates the rest to some worthy humanitarian organization(s). Then you turn Conspicuous Consumption into Conspicuous Donation. Let the rich guy or gal who insists on paying $1000 for an "I am rich" sign, and who obviously doesn't need the money, help out others. They still get their ego gratification, the poor people who need help get it, and the guy who thought it up makes a living.
I can see the point that people make about encryption to an un-verified certificate (like a self-signed) being, potentially 'false security', but I also think the main article has a sort of point to -
Mozilla has always warned users about self-signed certificates, but I've never liked the warning. I think they are poorly worded and confusing to people, and the latest incarnation is particularly obtuse.
There is a place for self-signed certificates, I think, there just needs to be a way to add those self-signed certs to users browsers in a better fashion. Self-signed certs are perfectly safe if you have some way to verify them 'out-of-band' - that's the tricky part.
I think the ultimate answer to this problem might rely as part of a secure DNS system. We've seen from the recent DNS cache poisoning vulnerability that the current version of the DNS protocol is starting to show it's age. Perhaps DNS needs to be re-designed to include cryptographic verification of the DNS chain, so that you can know you can trust data from DNS.
If you're defining a new version of DNS anyhow, it might be a perfect opportunity to make CAs less necessary, by allowing webmasters to put their self-signed cert into their DNS records (or maybe, that might add too much data to DNS requests, but you could at least add a secure hash so that the browser could verify the cert that the web server passes it, against the DNS record for that domain). I think there might still be a place for CAs for giving additional verification (e.g. DNS would just allow you to know you were getting the right certificate for that domain, CAs can maybe do additional verifications to make sure that the organization that owns a particular domain and SSL Cert really is who they claim to be, maybe?)
Let every DNS record be its own Certificate Authority.
You kind of missed my point completely.
"Removing stuff that you don't use or ever want to use is not exactly going to screw up your box. In real open source stuff, source code is edited ALL the time."
Yeah, the thing is, I never got a response, as far as I can tell, from one of the V-Box developers as to the correct way to fix this. I commented out two lines based on two comments, from two different people, both of whom seemed to just be struggling with the same problem I was and they said, well, these two lines caused the compile error, so we commented them out and it compiles, and appears to work correctly.
My point is that, I am a beginning programmer at best - I understand basic C/C++ syntax. The only help I was able to get building the software is by commenting out lines that I don't know what the true impact of commenting it out will do, by people who didn't appear to be VBox developers and I'm not confident they truly know whether that 'fix' is safe or not. The example I gave about the Debian developer was because, while I might have been a little confused about the exact changes made to OpenSSL, I knew that basically two lines in OpenSSL were changed, and changing those two lines broke OpenSSL, but broke it in such a way that it compiled fine, and appeared to run correctly, but didn't really. How do I know that I haven't built VirtualBox with some similarly subtle problem that isn't obvious, but is critical?
I had to do this because the core VirtualBox developers didn't release code that was buildable based on their build isntructions, which brings me to my next reply. . .
"And complaining about "does not compile on Visual C++" is kind of dumb. Visual C++ is not the same compiler as GCC. GCC has different extensions, has better support for lots of C++ crap. The world does not revolve around MSVS.NET 2008."
I never complained, exactly, that it doesn't build on Visual C++ - I followed the oficial VBox instructions to the letter, which REQUIRE me to use Visual C++ and the GCC port from the MinGW project(although, to be fair, I suppose it might not be up to date with the latest features of GCC - it could be based on an older version). I would have *preferred* if it built entirely with GCC, but, I suspect that VBox developers are forced to use VC++ for certain code which interacts tightly with the Windows O/S.
Anyhow, the Sun developers somehow got it to build for their non-GPL binaries just fine. I very strongly suspect this is not a Visual C++ error as you attribute it. You know why? Because the code that failed to compile had something to do with USB (I don't know what exactly, but it definitely mentions USB in the function names), and the Open Source Edition is not supposed to *have* the USB support built into it. I think one of the developers forgot to do something while 'cutting out' the USB functionality from the GPL code-base. I will give them the benefit of the doubt that this was a mistake, and not intentional, but how hard can it be to setup a 'clean' computer and follow the same build instructions that you put up on your website, to make sure the source tree builds? Granted, they have no legal obligation to do so, but it certainly wins them no friends.
I'm glad they released the source code as GPL, don't get me wrong, but it just seems awefully suspicious that the binaries are not GPL and simultaneously, the official source release won't build when you follow their exact build instructions, putting all the software they say you need, on your computer. Again, it could be an honest mistake, but it gives the appearance of trying to make it difficult for other people to get the OSE built and running instead of the 'official' version.
Linux 0.1 not building isn't a valid comparison here, because VirtualBox is actually a pretty mature product, whereas that was a brand new project that was *only* intended for developer use until it could become more mature.
The "Search" might be reasonable, but seizing and never returning a laptop when no crime has been shown to be committed cannot possibly be within anyone's definition of reasonable. Take the laptop, search it, give it back if nothing illegal is found. I mean, sure, if they find kiddie porn, or JihadSuicideMission.doc, by all means, take the laptop as evidence. But if nothing is found, how can it be constitutional for them to not return it within a reasonable period of time?
I think the 4th Ammendment implies a certain right to get your stuff back even if the search and seizure itself was legal, if no cause is subsequently found to keep it. Or, at least, the 5th Ammendment, as the GGP mentioned, which says the government may not take your stuff without a conviction. I surely think between the fourth and fifth ammendments, there's no argument that would allow the government to keep your stuff when no crime has been committed.
Still, the Constitution is only worth as much as the people who interpret/enforce it, and our government, sadly, currently views the Constitution as a hostile set of restrictions to justify going around, instead of a sworn duty to preserve and protect.
"Give me Liberty or give me Death!"
Ok.
Bang!