Operative term where where? Your post has fuck-all to do with the post you replied to. Stick to writing your your JEs — you seem to be able to find the "post" button when you write those.
I think the market has indicated that the release of a zero-day exploit is preferred. As here, "responsible disclosure" results in harm to a good-faith actor, while zero-day exploits are quickly patched, and users quickly learn of the danger so that they may take whatever precautions each user deems appropriate until the danger has passed.
Wow - you're quite right, though I haven't seen it so clearly explained. Such a shame - people need to get over this default reaction of retaliation.
Thank you.:o)
I remember that in an exchange with mcgrew, you put forth a self-developed technique, which you'd named and detailed on your website (which isn't working for me today — though I'm experiencing DNS failures and timeouts in recent days). All I can remember is that it involved an increasingly-adversarial arrangement imposed upon the responsible entity, it was less adversarial than "zero-day exploit" but more adversarial than "responsible disclosure," and it was quite persuasive. Do you remember it, (and if so, can you please recite it here)? Have you abandoned your idea? I hope you haven't — it was certainly preferable, I think, to "responsible disclosure," though I can't remember the level of risk it exposed the reporter to.
Are you sure? I thought that while poor karma can give a negative starting score, it doesn't apply an "Insightful" (or any other tag) to the initial post. In other words, such posts would be labeled "Score: -1" as opposed to "Score: -1, Insightful". I thought only a "Insightful" mod by another user caused that label to be attached to a post.
I agree, but cold fjord didn't say he saw the post in its initial state. It displayed the same way for me, in a moderated/modified state.
Let's compare how much media time this gets [with that].
If you're talking about coverage via the "big six" US corporate news media, coverage depends partially on the political and economic interests of the parent corporation, and partially on the projected profitability of the coverage. The former could be determined somewhat by the legal bribes a corporation has given to political candidates. I'm not interested, as I don't share interests with any of those corporations. Thus, I don't get any of my news from them, instead preferring mostly foreign outfits with a smaller stake in determining what is fit for someone in the US to read about.
[...] American state dept official being left out to be lynched by a planned assault on our consulate when help was available? Does it really matter if it was planned or spontaneous?
I don't know, but maybe if the US hadn't participated in overthrowing Libya's government, there would be a police department there to investigate murder cases. Other than "many dead, many injured during protests/riots/attacks coinciding with anniversary of 9/11 attack on US," I remember and care little about those small uprisings through 2011-2012, except for my continual belief that the US should quit meddling in the affairs of sovereign states in which a US presence is unwanted by the majority of the populace.
There are other misdeeds, crimes, and atrocities being committed by the Obama administration that I'm far more concerned with right now, like the indiscriminate mass execution of civilians abroad via remote control (Obama: "I'm getting very good at killing people."); the mass surveillance of myself, fellow citizens, and fellow innocents across the globe; the ongoing suspension of habeus corpus under the NDAA 2012; banksters walking free, while incentivized to crash the economy for fun & profit again, as spending for assistance for this nation's most-in-need is cut; the "most transparent administration in US history" waging a war to punish/silence whistle-blowers throughout the federal government and military; and so on and so forth.
Are you concerned about any of those things? Do you consider any of them more important than the attack that occurred in 2012?
When I read about something bad that's happened, my foremost concerns are: "In what way is this event affecting the lives of vulnerable civilians now, and in what ways may this event affect the course of future events that may cause them and others harm in the future?" When you read about something bad that's happened, be it the passing of bad legislation or some natural or intentional harm affecting many people, what are your foremost concerns?
I'm struggling to understand how this qualifies as "News For Nerds" or "Stuff That Matters".
I believe it was meant to foster a discussion about NSA's post-Snowden propaganda campaign, but we don't seem to be having that discussion, as far as I've read.
The article says he was reported to police, but not arrested or even contacted by the police.
He only even knows he was reported to the police because the journalist told him.
Seriously, can we at least read the article before making up wrong headlines?
Please, you've been here longer than I have. Surely you know that the "news" items here aren't meant to be an expression of reality, but a hypothetical interpretation of reality meant to foster vigorous discussion of various subjects and hypothetical constructs.;o)
2. "leak" the info to some hacking circle and let others do the job for you.
Brilliant, help the kids remove any hope they had for a slap on the wrist by making them a coconspirators in a criminal enterprise.
I agree that involving potential minors presents a moral conundrum, but I think this is mostly a problem with how harshly minors are treated nowadays. Perhaps it's best to include an advisory with any vulnerability details that outline the potential penalties and risks involved with using the information provided. I believe it is the case that "the kids" have shown themselves to be very adept at this work, but I'm dismayed by what happens to them when they're caught (i.e., as though having done something terribly wrong, instead of having helpfully contributed to the security process).
In the meantime, maybe some kind of anonymous WikiLeaks-style clearinghouse for zero-day exploits would be ideal, until the harsh penalties are removed, or the market chooses something other than "zero-day exploit" as the most effective form of security vulnerability disclosure (what with "responsible disclosure" resulting in inaction and/or harsh penalties applied to actors in good faith). (I'm unaware of the current release platform, but I suppose it's an unorganized mixture of web sites and P2P platforms with varying and unknown degrees of risk — a centralized point would make it easier for users and vendors to check if systems important to them have been compromised. News media could also extend its reach.)
If you want to learn to be a security researcher then find some like minded folks and practice on each other's systems. Create Windows, Linux and *BSD honeypots that are misconfigured, not currently patched, etc. Watch your friends try to get in. It will be an educational experience from both the offensive and the defensive perspectives.
That sounds like a fun learning activity for people who have the time and interest, but sometimes security vulnerabilities are discovered by those who may be regarded as lay-people. Increasingly so, I would guess, as more people are exposed to more technology. I wish they were always aware of the harsh penalties that are often involved in helping to repair security vulnerabilities, — until ideally — harsh penalties are removed as a likely possibility.
Actually things would have been a lot more pleasant for him had he moved to his place of choice first before doing the leaking.
The long arm of the US does mean there are very few suitable places so maybe Russia really is the best spot (but there was a fair bit of fuss getting there). Maybe he might have preferred Ecuador? Climate seems better there.
I think Snowden's only realistic choices have always been either Russia or China, as they're the only two countries that both a) have the ability to defend their airspace, and have the military strength to stay standing after taking down a US intruder, removing the possibility of a flown-in death squad (e.g., Osama bin Laden) and b) have the political will and economic fortitude to withstand pressure from the US, removing the possibility of a straight-up sell-out, (e.g., Kim Dotcom).
I don't think Assange's idea would have worked for Snowden; Ecuador would have likely caved to extreme pressure from the US, and the US has proven many times it has no qualms about toppling popular democracies, engaging in international terrorism, or intentionally causing widespread human suffering in pursuit of its economic and political interests, particularly in Central/South America, (I think because it's perceived as "belonging to" the US). (Fortunately, those days seem to be behind us, as the US populace wises-up to the atrocities it pays for (cf. the backing down of US war of aggression against Syria, opting for strange, new "diplomacy"-thing with Putin, as if by accident).
Assange's situation is far from ideal, what with his lack of autonomy and ability to go out for a walk, but his decision was made in a sense of immediacy and duress; he didn't have the opportunity for foresight Snowden had. I am glad that he successfully traveled between Hong Kong autonomous region and Russia, though — I cannot imagine the horrors he'd have been subject to at US hands had he failed. My country is a dangerous rogue state, not to be trifled with without extreme precautions for one's own well-being.
As for reporting security vulnerabilities, I think the market has indicated that the release of a zero-day exploit is preferred. As here, "responsible disclosure" results in harm to a good-faith actor, while zero-day exploits are quickly patched, and users quickly learn of the danger so that they may take whatever precautions each user deems appropriate until the danger has passed. Unlike many other good-faith actors, most releasers of zero-day exploits seem to know how to exceed the grasp of their targeted beneficiaries.
I'm not sure why you feel the need to turn this into a debate, if not for the sake of debating. I don't think we're in any significant disagreement here, just emphasizing different aspects of this story. What am I missing?
Nothing — that's just how "girlintraining" behaves. Like an untrained dog, once it catches your scent, it'll jump up all over you until it gets bored or distracted.
[...] which is what you may end up with your configuration.
No it isn't — please see my reply to brunes69.
To anyone who read only my initial post, please note that I use two additional plug-ins which thwart a plaintext connection with any host with which any encrypted connection is possible, including RC4: "HTTPS Everywhere" and "HTTPS Finder" — see my reply to brunes69 for links/further info.
My apologies to everyone for neglecting to include important info in my initial post, particularly to anyone who got the impression that I was advocating plaintext in preference to a weak or broken cipher.
Your [logic] fails as soon as with ROT13 - not better than clear text.
I disagree; ROT-whatever would at least help defend one from automated surveillance of plaintext keywords, and very lazy/unmotivated human eavesdroppers.
So if a website gives you only HTTPS with RC4 or HTTP in clear text as options - why would you choose clear text?
This is totally illogical. Yes RC4 sucks but it is better than clear text - ANYTHING is better than clear text. The only possible argument for this would be "false sense of security", but if you think average people pay any attention to that padlock in the status bar, you are delusional.
I agree with you wholeheartedly — in fact, I accept some questionable certs in my zeal to transfer ciphertext instead of plaintext.
However, I neglected to mention in my previous post that I also use EFF's "HTTPS Everywhere," and an extension for that extension called "HTTPS Finder" — the former forces HTTPS if the host is known to support it, and the latter forces HTTPS if an HTTPS connection is possible (and creates a new rule for "HTTPS Everywhere"), even with requisite security.ssl3. cipher suites disabled in about:config .
(I figured anyone knuckle-deep in their browser's HTTPS configuration would be aware of them (and hopefully, using them). I recommend both, emphatically — "HTTPS Everywhere" alone yields a vast improvement in security/privacy, and has the benefit of a very long, expert-managed list of defaults.)
Thus, if RC4 is needed and I have it disabled, I'll be presented with an "ssl_error_no_cypher_overlap" error page, then I enable RC4 and reload. The only weakness there is in my forgetting to re-disable RC4, but the two extensions I mentioned in my initial post help in this effort, alerting me in various ways if/when I connect to another host using weak security:
"CipherFox" displays the cipher suite (or configurable portions thereof) in use on the status bar (e.g., it shows me "AES-256 RSA-4096 SHA1" on DDG), as well as providing the "Enable RC4" check-item on the Tools menu.
"Calomel SSL Validation" displays (on my nav. bar) a color-coded shield that represents a percentage security rating based on weighted factors drawn from the cert and cipher suite, the breakdown of which is displayed via clicking the shield icon.
Sarah Palin's handler(s)/management (team), more likely. We're talking about a person who thought the 2003 invasion of Iraq was (to paraphrase) "revenge for 9/11," or some such nonsense. In other words, I "betcha" there's little acumen of any utility rattling around in that skull of hers.
God I hate marketing.
I hope for all exposed beings to possess the wherewithal to resist for-profit and political propaganda in all of its forms, and manipulation therefrom, particularly anything shat out by the United States' six-headed corporate "news" media (i.e., corporate and government press releases, backed by unchallenging commentary).
I find it interesting that amongst our nation-wide, free-press establishment, PBS (a government- and corporate-backed entity) seems to be the only major source for investigative journalism (particularly via Frontline). Fortunately, contributions from the David H. Koch Foundation seem to have been used only to suppress broadcasting of investigation into the Koch brothers, rather than to steer PBS's agenda.
Unfortunately — in Firefox, at least — ciphers can only be toggled, not given a priority. Control over cipher selection (and other HTTPS parameters, such as key length, key exchange, hash (MD5/SHA)., etc.) lies with the server operator. In my own testing, the arbitrated HTTPS parameters are most frequently prioritized in some order without regard to strength, or prioritized from weakest-to-strongest (or perhaps least-to-most expensive to execute).
In order to retain manageable security, I have only TLS 1.0-1.2 enabled, MD5 disabled, all RC4-employing combos disabled, with the last being switchable via a check box provided by "CipherFox." (Additional features of use to "CipherFox" users are provided by "Calomel SSL Validation."; I recommend both.)
In the mean time they have made it substantially more difficult to configure the rejection of cookies.
Jesus... I'm actually thinking IE is better at this point.
Pay no attention to Firefox's built-in cookie-handling interface; it's designed for Joe Kegger — not computer nerds and/or privacy control-freaks. Get whatever cookie-handling plugin(s) that'll give you the level of control you need.
I use CookieSafe v3.0.5*, which I have set to block by default, and then "allow" and "allow for session" sites I want to white-list. Also provided: "allow temporarily" (for current session, then block), which is handy for determining if a site requires cookies to function, and "remove" (to get rid of domains' cookies that I used to allow).
Another cookie plugin I like is Self-Destructing Cookies, which provides "delete-on-tab-close;" "delete-on-browser-close;" and "never delete." Unlike CookieSafe, however, it lacks a function for viewing the complete rule-set — only the rule in use for the currently-selected tab's domain.
* If I remember correctly, there's a different version or branch of CookieSafe that's incompatible with recent versions of Firefox, plus a "Lite" version that's little better than Firefox's built-in level of control.
>You should move to a warmer city where you don't need to be so wasteful.
Typical liberal, tells everyone else how to live.
"[Telling] everyone else how to live" is authoritarianism, not liberalism. Authoritarianism comes in both left and right flavors — neither palatable, in my opinion.
Another confirmation that our idea of the internet has devolved in the hands of entrepeneurs.
I'm with you. Some people seem to have had it drilled into their heads that they've got some moral duty to download and expose themselves to corporate propaganda ((i.e., advertizements) and the malware* that frequently accompanies it), lest the Internet shrivel up and die. They forget that aside from spam, the Internet started out nearly ad-free, and that ads were scarce for a while in the beginning of the 1990s web-boom.
I don't think it'd necessarily be a bad thing if ad-dependent content disappeared; what would remain would be material that's important enough that someone's willing to ask for donations, pay out of their own pocket — or both — in order to make it freely available. Wikipedia (for instance) seems to work fine using this model, and is better for it, I think, than if it kowtowed to corporate-huckster "benefactors."
* I consider the ads themselves a form of malware — mental malware meant to manipulate peoples' purchase decisions (as manipulation is the intent behind propaganda of any type).
To clarify, you contend that "bitches can't think straight," because Tuidjy's wife used to work with Professor Gur, who was transferred from UPenn to UPhil... Can you please connect the dots?
..and for whatever reason, Slashdot refuses to show the first link. Just forget it.
Well, your sig told me to "trust the Computer," and that "the Computer is [my] friend." Sorry to say, but it appears that the Computer isn't even your friend, despite your going out on a limb to vouch for it. After seeing how it treated you, I'm thinking "fuck the Computer; the Computer is a jerk."
well, that blows. As a content creator with two documentaries on the piratebay, that pisses me off.
Post the torrent hashes someplace where people can find them, and they'll remain accessible for as long as online stewardship of the torrents' data are maintained. For greater user convenience, magnet links can be created using the torrent hashes (on properly-constructed/maintained, standards-compliant web sites (e.g., not Slashdot)).
PARIS — In a bizarre victory for the French imaginary property industry, a French court has ruled that the deck chairs on the RMS Titanic are to be rearranged, effective immediately. In an effort to comply with the court's order, French and US authorities are negotiating the extradition of director/enthusiast James Cameron and his personal submarine — capable of both reaching the Titanic and rearranging her deckchairs via robotic claw — to the icy North Atlantic, where the ill-fated symbol of man's hubris sunk nearly one US-copyright-term-length ago.
Slashdot Mirror
Operative term where where? Your post has fuck-all to do with the post you replied to. Stick to writing your your JEs — you seem to be able to find the "post" button when you write those.
a hypothetical interpretation of reality meant to foster vigorous discussion of various subjects and hypothetical constructs
Really? I thought it was a "a hypothetical interpretation of reality meant to maximize the number of ad impressions garnered".
I suppose you're right — it doesn't take me long to forget about the (b)ads I never download or lay eyes on.
I think the market has indicated that the release of a zero-day exploit is preferred. As here, "responsible disclosure" results in harm to a good-faith actor, while zero-day exploits are quickly patched, and users quickly learn of the danger so that they may take whatever precautions each user deems appropriate until the danger has passed.
Wow - you're quite right, though I haven't seen it so clearly explained. Such a shame - people need to get over this default reaction of retaliation.
Thank you. :o)
I remember that in an exchange with mcgrew, you put forth a self-developed technique, which you'd named and detailed on your website (which isn't working for me today — though I'm experiencing DNS failures and timeouts in recent days). All I can remember is that it involved an increasingly-adversarial arrangement imposed upon the responsible entity, it was less adversarial than "zero-day exploit" but more adversarial than "responsible disclosure," and it was quite persuasive. Do you remember it, (and if so, can you please recite it here)? Have you abandoned your idea? I hope you haven't — it was certainly preferable, I think, to "responsible disclosure," though I can't remember the level of risk it exposed the reporter to.
Thank you. :o)
Are you sure? I thought that while poor karma can give a negative starting score, it doesn't apply an "Insightful" (or any other tag) to the initial post. In other words, such posts would be labeled "Score: -1" as opposed to "Score: -1, Insightful". I thought only a "Insightful" mod by another user caused that label to be attached to a post.
I agree, but cold fjord didn't say he saw the post in its initial state. It displayed the same way for me, in a moderated/modified state.
Snowden, NSA, and Bitcoin.
Let's compare how much media time this gets [with that].
If you're talking about coverage via the "big six" US corporate news media, coverage depends partially on the political and economic interests of the parent corporation, and partially on the projected profitability of the coverage. The former could be determined somewhat by the legal bribes a corporation has given to political candidates. I'm not interested, as I don't share interests with any of those corporations. Thus, I don't get any of my news from them, instead preferring mostly foreign outfits with a smaller stake in determining what is fit for someone in the US to read about.
[...] American state dept official being left out to be lynched by a planned assault on our consulate when help was available? Does it really matter if it was planned or spontaneous?
I don't know, but maybe if the US hadn't participated in overthrowing Libya's government, there would be a police department there to investigate murder cases. Other than "many dead, many injured during protests/riots/attacks coinciding with anniversary of 9/11 attack on US," I remember and care little about those small uprisings through 2011-2012, except for my continual belief that the US should quit meddling in the affairs of sovereign states in which a US presence is unwanted by the majority of the populace.
There are other misdeeds, crimes, and atrocities being committed by the Obama administration that I'm far more concerned with right now, like the indiscriminate mass execution of civilians abroad via remote control (Obama: "I'm getting very good at killing people."); the mass surveillance of myself, fellow citizens, and fellow innocents across the globe; the ongoing suspension of habeus corpus under the NDAA 2012; banksters walking free, while incentivized to crash the economy for fun & profit again, as spending for assistance for this nation's most-in-need is cut; the "most transparent administration in US history" waging a war to punish/silence whistle-blowers throughout the federal government and military; and so on and so forth.
Are you concerned about any of those things? Do you consider any of them more important than the attack that occurred in 2012?
When I read about something bad that's happened, my foremost concerns are: "In what way is this event affecting the lives of vulnerable civilians now, and in what ways may this event affect the course of future events that may cause them and others harm in the future?" When you read about something bad that's happened, be it the passing of bad legislation or some natural or intentional harm affecting many people, what are your foremost concerns?
I'm struggling to understand how this qualifies as "News For Nerds" or "Stuff That Matters".
I believe it was meant to foster a discussion about NSA's post-Snowden propaganda campaign, but we don't seem to be having that discussion, as far as I've read.
Maybe it's a bug, but I see this post moderated as "-1, Insightful" at the moment.
It's not a bug; mozumder's starting score is -1, which is caused by having poor "karma," which is caused by being down-modded more than up-modded.
The article says he was reported to police, but not arrested or even contacted by the police.
He only even knows he was reported to the police because the journalist told him.
Seriously, can we at least read the article before making up wrong headlines?
Please, you've been here longer than I have. Surely you know that the "news" items here aren't meant to be an expression of reality, but a hypothetical interpretation of reality meant to foster vigorous discussion of various subjects and hypothetical constructs. ;o)
2. "leak" the info to some hacking circle and let others do the job for you.
Brilliant, help the kids remove any hope they had for a slap on the wrist by making them a coconspirators in a criminal enterprise.
I agree that involving potential minors presents a moral conundrum, but I think this is mostly a problem with how harshly minors are treated nowadays. Perhaps it's best to include an advisory with any vulnerability details that outline the potential penalties and risks involved with using the information provided. I believe it is the case that "the kids" have shown themselves to be very adept at this work, but I'm dismayed by what happens to them when they're caught (i.e., as though having done something terribly wrong, instead of having helpfully contributed to the security process).
In the meantime, maybe some kind of anonymous WikiLeaks-style clearinghouse for zero-day exploits would be ideal, until the harsh penalties are removed, or the market chooses something other than "zero-day exploit" as the most effective form of security vulnerability disclosure (what with "responsible disclosure" resulting in inaction and/or harsh penalties applied to actors in good faith). (I'm unaware of the current release platform, but I suppose it's an unorganized mixture of web sites and P2P platforms with varying and unknown degrees of risk — a centralized point would make it easier for users and vendors to check if systems important to them have been compromised. News media could also extend its reach.)
If you want to learn to be a security researcher then find some like minded folks and practice on each other's systems. Create Windows, Linux and *BSD honeypots that are misconfigured, not currently patched, etc. Watch your friends try to get in. It will be an educational experience from both the offensive and the defensive perspectives.
That sounds like a fun learning activity for people who have the time and interest, but sometimes security vulnerabilities are discovered by those who may be regarded as lay-people. Increasingly so, I would guess, as more people are exposed to more technology. I wish they were always aware of the harsh penalties that are often involved in helping to repair security vulnerabilities, — until ideally — harsh penalties are removed as a likely possibility.
Actually things would have been a lot more pleasant for him had he moved to his place of choice first before doing the leaking.
The long arm of the US does mean there are very few suitable places so maybe Russia really is the best spot (but there was a fair bit of fuss getting there). Maybe he might have preferred Ecuador? Climate seems better there.
I think Snowden's only realistic choices have always been either Russia or China, as they're the only two countries that both a) have the ability to defend their airspace, and have the military strength to stay standing after taking down a US intruder, removing the possibility of a flown-in death squad (e.g., Osama bin Laden) and b) have the political will and economic fortitude to withstand pressure from the US, removing the possibility of a straight-up sell-out, (e.g., Kim Dotcom).
I don't think Assange's idea would have worked for Snowden; Ecuador would have likely caved to extreme pressure from the US, and the US has proven many times it has no qualms about toppling popular democracies, engaging in international terrorism, or intentionally causing widespread human suffering in pursuit of its economic and political interests, particularly in Central/South America, (I think because it's perceived as "belonging to" the US). (Fortunately, those days seem to be behind us, as the US populace wises-up to the atrocities it pays for (cf. the backing down of US war of aggression against Syria, opting for strange, new "diplomacy"-thing with Putin, as if by accident).
Assange's situation is far from ideal, what with his lack of autonomy and ability to go out for a walk, but his decision was made in a sense of immediacy and duress; he didn't have the opportunity for foresight Snowden had. I am glad that he successfully traveled between Hong Kong autonomous region and Russia, though — I cannot imagine the horrors he'd have been subject to at US hands had he failed. My country is a dangerous rogue state, not to be trifled with without extreme precautions for one's own well-being.
As for reporting security vulnerabilities, I think the market has indicated that the release of a zero-day exploit is preferred. As here, "responsible disclosure" results in harm to a good-faith actor, while zero-day exploits are quickly patched, and users quickly learn of the danger so that they may take whatever precautions each user deems appropriate until the danger has passed. Unlike many other good-faith actors, most releasers of zero-day exploits seem to know how to exceed the grasp of their targeted beneficiaries.
I'm not sure why you feel the need to turn this into a debate, if not for the sake of debating. I don't think we're in any significant disagreement here, just emphasizing different aspects of this story. What am I missing?
Nothing — that's just how "girlintraining" behaves. Like an untrained dog, once it catches your scent, it'll jump up all over you until it gets bored or distracted.
You're foolish.
I disagree, but I may be biased.
RC4 is better than cleartext [...]
I agree.
[...] which is what you may end up with your configuration.
No it isn't — please see my reply to brunes69.
To anyone who read only my initial post, please note that I use two additional plug-ins which thwart a plaintext connection with any host with which any encrypted connection is possible, including RC4: "HTTPS Everywhere" and "HTTPS Finder" — see my reply to brunes69 for links/further info.
My apologies to everyone for neglecting to include important info in my initial post, particularly to anyone who got the impression that I was advocating plaintext in preference to a weak or broken cipher.
Your [logic] fails as soon as with ROT13 - not better than clear text.
I disagree; ROT-whatever would at least help defend one from automated surveillance of plaintext keywords, and very lazy/unmotivated human eavesdroppers.
So if a website gives you only HTTPS with RC4 or HTTP in clear text as options - why would you choose clear text?
This is totally illogical. Yes RC4 sucks but it is better than clear text - ANYTHING is better than clear text. The only possible argument for this would be "false sense of security", but if you think average people pay any attention to that padlock in the status bar, you are delusional.
I agree with you wholeheartedly — in fact, I accept some questionable certs in my zeal to transfer ciphertext instead of plaintext.
However, I neglected to mention in my previous post that I also use EFF's "HTTPS Everywhere," and an extension for that extension called "HTTPS Finder" — the former forces HTTPS if the host is known to support it, and the latter forces HTTPS if an HTTPS connection is possible (and creates a new rule for "HTTPS Everywhere"), even with requisite security.ssl3. cipher suites disabled in about:config .
(I figured anyone knuckle-deep in their browser's HTTPS configuration would be aware of them (and hopefully, using them). I recommend both, emphatically — "HTTPS Everywhere" alone yields a vast improvement in security/privacy, and has the benefit of a very long, expert-managed list of defaults.)
Thus, if RC4 is needed and I have it disabled, I'll be presented with an "ssl_error_no_cypher_overlap" error page, then I enable RC4 and reload. The only weakness there is in my forgetting to re-disable RC4, but the two extensions I mentioned in my initial post help in this effort, alerting me in various ways if/when I connect to another host using weak security:
"CipherFox" displays the cipher suite (or configurable portions thereof) in use on the status bar (e.g., it shows me "AES-256 RSA-4096 SHA1" on DDG), as well as providing the "Enable RC4" check-item on the Tools menu.
"Calomel SSL Validation" displays (on my nav. bar) a color-coded shield that represents a percentage security rating based on weighted factors drawn from the cert and cipher suite, the breakdown of which is displayed via clicking the shield icon.
[...] Sarah Palins a master of it...
Sarah Palin's handler(s)/management (team), more likely. We're talking about a person who thought the 2003 invasion of Iraq was (to paraphrase) "revenge for 9/11," or some such nonsense. In other words, I "betcha" there's little acumen of any utility rattling around in that skull of hers.
God I hate marketing.
I hope for all exposed beings to possess the wherewithal to resist for-profit and political propaganda in all of its forms, and manipulation therefrom, particularly anything shat out by the United States' six-headed corporate "news" media (i.e., corporate and government press releases, backed by unchallenging commentary).
I find it interesting that amongst our nation-wide, free-press establishment, PBS (a government- and corporate-backed entity) seems to be the only major source for investigative journalism (particularly via Frontline). Fortunately, contributions from the David H. Koch Foundation seem to have been used only to suppress broadcasting of investigation into the Koch brothers, rather than to steer PBS's agenda.
Unfortunately — in Firefox, at least — ciphers can only be toggled, not given a priority. Control over cipher selection (and other HTTPS parameters, such as key length, key exchange, hash (MD5/SHA)., etc.) lies with the server operator. In my own testing, the arbitrated HTTPS parameters are most frequently prioritized in some order without regard to strength, or prioritized from weakest-to-strongest (or perhaps least-to-most expensive to execute).
In order to retain manageable security, I have only TLS 1.0-1.2 enabled, MD5 disabled, all RC4-employing combos disabled, with the last being switchable via a check box provided by "CipherFox." (Additional features of use to "CipherFox" users are provided by "Calomel SSL Validation."; I recommend both.)
In the mean time they have made it substantially more difficult to configure the rejection of cookies.
Jesus... I'm actually thinking IE is better at this point.
Pay no attention to Firefox's built-in cookie-handling interface; it's designed for Joe Kegger — not computer nerds and/or privacy control-freaks. Get whatever cookie-handling plugin(s) that'll give you the level of control you need.
I use CookieSafe v3.0.5*, which I have set to block by default, and then "allow" and "allow for session" sites I want to white-list. Also provided: "allow temporarily" (for current session, then block), which is handy for determining if a site requires cookies to function, and "remove" (to get rid of domains' cookies that I used to allow).
Another cookie plugin I like is Self-Destructing Cookies, which provides "delete-on-tab-close;" "delete-on-browser-close;" and "never delete." Unlike CookieSafe, however, it lacks a function for viewing the complete rule-set — only the rule in use for the currently-selected tab's domain.
* If I remember correctly, there's a different version or branch of CookieSafe that's incompatible with recent versions of Firefox, plus a "Lite" version that's little better than Firefox's built-in level of control.
>You should move to a warmer city where you don't need to be so wasteful.
Typical liberal, tells everyone else how to live.
"[Telling] everyone else how to live" is authoritarianism, not liberalism. Authoritarianism comes in both left and right flavors — neither palatable, in my opinion.
Another confirmation that our idea of the internet has devolved in the hands of entrepeneurs.
I'm with you. Some people seem to have had it drilled into their heads that they've got some moral duty to download and expose themselves to corporate propaganda ((i.e., advertizements) and the malware* that frequently accompanies it), lest the Internet shrivel up and die. They forget that aside from spam, the Internet started out nearly ad-free, and that ads were scarce for a while in the beginning of the 1990s web-boom.
I don't think it'd necessarily be a bad thing if ad-dependent content disappeared; what would remain would be material that's important enough that someone's willing to ask for donations, pay out of their own pocket — or both — in order to make it freely available. Wikipedia (for instance) seems to work fine using this model, and is better for it, I think, than if it kowtowed to corporate-huckster "benefactors."
* I consider the ads themselves a form of malware — mental malware meant to manipulate peoples' purchase decisions (as manipulation is the intent behind propaganda of any type).
That's why bitches can't think straight.
To clarify, you contend that "bitches can't think straight," because Tuidjy's wife used to work with Professor Gur, who was transferred from UPenn to UPhil... Can you please connect the dots?
..and for whatever reason, Slashdot refuses to show the first link. Just forget it.
Well, your sig told me to "trust the Computer," and that "the Computer is [my] friend." Sorry to say, but it appears that the Computer isn't even your friend, despite your going out on a limb to vouch for it. After seeing how it treated you, I'm thinking "fuck the Computer; the Computer is a jerk."
well, that blows. As a content creator with two documentaries on the piratebay, that pisses me off.
Post the torrent hashes someplace where people can find them, and they'll remain accessible for as long as online stewardship of the torrents' data are maintained. For greater user convenience, magnet links can be created using the torrent hashes (on properly-constructed/maintained, standards-compliant web sites (e.g., not Slashdot)).
PARIS — In a bizarre victory for the French imaginary property industry, a French court has ruled that the deck chairs on the RMS Titanic are to be rearranged, effective immediately. In an effort to comply with the court's order, French and US authorities are negotiating the extradition of director/enthusiast James Cameron and his personal submarine — capable of both reaching the Titanic and rearranging her deckchairs via robotic claw — to the icy North Atlantic, where the ill-fated symbol of man's hubris sunk nearly one US-copyright-term-length ago.