Tracking radiation levels is just the beginning. This is a preview of how accelerating technologies will allow us to monitor anything, anywhere, in realtime."
Not to mention how we now have unprecedented ability to spread hysteria when there's nothing actively wrong!
Moving along. FTA:
Three days from concept to a working map that gives valuable and reliable data to anyone who wants it for free, and not a dollar was spent in its production. Amazing.
Wait, what? You mean nobody spent ANY time or money to get that data? It just magically appeared on servers? Poof!
Ah:
Their information is gathered from volunteer and official sources and embedded onto an adapted Google Map.
Time != free (even the time of a volunteer has value to that volunteer). Official sources are most definitely not an example of data available without cost -- it's just a question of who pays the cost and when. In actual dollars, at that -- not just volunteer hours.
While many of those wanting to track radiation levels after the Fukushima accident do so out of sympathy for Japanese citizens, let’s not ignore the fact that many others are simply worried about when dangerous radiation levels could show up in their own backyard.
Well, sure. Because at any second, ANY OF THOSE PLANTS COULD EXPLODE!
The problem with bloggers becoming the "new journalists" is that any sense of responsibility goes out the window in the race to get page hits.
This perhaps came across as unnecessarily irritable... but I'm a bit tired of the attention that the "nuclear scare" is getting, while the thousands of people killed in the friggin tsunami are just a footnote.
If it gets the salient points that you're interested in across, then it sounds like it doesn't matter (for you) whether it was a shill posting or not. When I read these, the basic facts are definitely useful - but I'm also looking for an honest evaluation of the book's content. In this case (and in the case of all Packt reviews I've seen here in the last 1-2 years) we are given details about the content of the book; but told very little about the quality of that content.
Whatever would trolls (like the one in the zdnet article) do if people just stopped linking to their tripe?
It's pretty ridiculous - they guarantee success by publishing fact-light crap. The more outrageous and/or preposterous their content, the more people will link to them, the more hits they get, the more money they get. I mean, do you seriously think this guy believes what he wrote? Or is it more likely that he laughed as he wrote it, thinking of what kind of comments his article is going to get?
You're correct in that even if they were split, there would still be issues of trust/MitM. But that doesn't justify essentially "throwing out the baby with the bathwater". Just because trust is not established doesn't mean encryption in and of itself should be effectively discarded too. The potential MitM is far from the only black hat out there.
Ultimately, my issue now is a matter of presentation - since, as I said, we're forced to group crypto and identification together at present. I could agree with warning the user that it's not an authoritative cert. Where I have issue is displaying a malware-type warning that brings the browsing experience to a screeching halt and requires a multi-step process to work around. Why not the simple banner that's common for notifications: "This host is not guaranteed to be xyz.com." with dropdown options: [Learn More] [Just this Once] [It's OK I trust them] [Get me Out Of here]"
Tangentally: keep in mind too that an externally signed cert is not authoritative proof of identification anyway - these processes are subject to exploit. If somebody's gone to the trouble of a competent MITM attack, you don't think they could do so with a cert that is a) signed by a trusted authority and b) gives a reasonable veneer of credibility to the end user (such as the URL bar showing "Some Corporation, Inc" vs "someCorporation inc" ?
ncrypted connections to unidentified endpoints are not safer than unencrypted connections because there's no way to detect a man in the middle, unless you obtained the certificate also through a separate secure channel (in this case you can add it to your browser's certificate store and never get a warning again). But I fully agree that some browsers have become far too annoying in the way their UI handles such a situation.
That's like saying hopping onto a train with an unknown destination won't get you out of the rain.
Just because you don't know where you're going doesn't mean you're not going to be dry when you get there.
As I've been saying elsewhere in this thread - SSH manages to use separate keys for crypto and ident just fine. Why wouldn't we do the same thing with https?
THey don't refuse them - but for most users who don't actually read errors, it's tantamount to a refusal. You go to a web site, you get a big scary looking message (which looks similar to the malware message) -- and little tiny print that *might* provide a way around it. If you're in the minority you click the link to get around it - then you see that you have to do something with a "certificate" and "adding an exception", which means precisely nothing to you. It's only the smallest percent of users who will proceed past this point.
By separating identity from encryption (which provides over-the-wire safety even if you can't be sure of where you're sending your data), there's no longer a need to frighten people away from web sites with overstated error messages.
When you connect to an SSH host for the first time, most clients will provide you a visual version ofthe host public key and ask you to confirm that they are who they say they are. This is not a big scary message, just a simple prompt saying "Hey, is this the right key fro XYX.com?"
It remembers that approval, then and ONLY if the key ever changes for that host does it give you the big scary message.
Something I have never understood is why the cert for identity confirmation is the same as the one used for encrypting the session. SSH itself uses a generated, negotiated key for communications; while identity confirmation is a completely different cert from the host and the client (for a total of up to three keys if you're using key-based auth; otherwise there are two -- one derived from host cert, and the second specifically negotiated for session encryption)
Why shouldn't this be the standard model? Encryption *is* independent of identity confirmation: yes, it's possible that you're not sending to who you think you are when you separate them. On the other hand, you're still protected from anybody monitoring over the wire or over the air. This is an improvement over the current scenario which is "all or nothing" -- because too many places choose "nothing".
THe problem is that the browsers persist under the myth that certs can ONLY be used for proving the identity of a host; and completely disregard the fact that an equally valid and completely unrelated task is traffic encryption.
Under the theory that there's no valid use other than identification, refusal of self-signed certs makes perfect sense. Unfortunately, that theory has little to do with reality.
Yeah, I tried to put my < 1 yr old to work. He looked at me and was like "No, man. Shut up and feed me. Also, my diaper needs to be changed. Get on it."
Hm, I should have been more clear. What I meant was: how likely is it that Google would be so reluctant to suspend the accounts of someone who fraudulently posted even one pirated app?
That's what you think. When something is free, it's always necessary to question who is paying the cost, and how. What are you giving up in exchange for your 'free' news? At the very least, the vast majority are giving up significant information about their reading and browsing habits.
Oh look, it's one of the i-did-not-come-up-with-it-myself-at-that-age-and-so-it-is-no-good crowd!
Sorry. I'm just really noticing lately the how stereotypical the kneejerk negative replies that we see here.
Here are the basic templates they seem to follow thus far:
I didn't think of this idea, so it sucks [also known as "I won't admit that I'm envious at not having thought of this idea, and so I will point out how it sucks"]
I did think of this idea 10 years ago!
I don't see the point, therefore it will flop.
I thought of a really obvious flaw that invalidates this entire concept - surely the engineers/inventors/etc didn't think of THAT one first!
True, but you did extrapolate incorrectly from it... (eg it's not illegal, just against PCI compliance regs - which are only enforced by the industry itself)
My point was, though, that if someone does actually work in an industry, there are things you learn because it's your job to learn them. When posting a quick reply to/., you may not have the time (or desire) to track down where the knowledge came from if it's part of the basic ruleset you work with every day.
Slashdot Mirror
Win-win!
Tracking radiation levels is just the beginning. This is a preview of how accelerating technologies will allow us to monitor anything, anywhere, in realtime."
Not to mention how we now have unprecedented ability to spread hysteria when there's nothing actively wrong!
Moving along. FTA:
Three days from concept to a working map that gives valuable and reliable data to anyone who wants it for free, and not a dollar was spent in its production. Amazing.
Wait, what? You mean nobody spent ANY time or money to get that data? It just magically appeared on servers? Poof!
Ah:
Their information is gathered from volunteer and official sources and embedded onto an adapted Google Map.
Time != free (even the time of a volunteer has value to that volunteer). Official sources are most definitely not an example of data available without cost -- it's just a question of who pays the cost and when. In actual dollars, at that -- not just volunteer hours.
While many of those wanting to track radiation levels after the Fukushima accident do so out of sympathy for Japanese citizens, let’s not ignore the fact that many others are simply worried about when dangerous radiation levels could show up in their own backyard.
Well, sure. Because at any second, ANY OF THOSE PLANTS COULD EXPLODE!
The problem with bloggers becoming the "new journalists" is that any sense of responsibility goes out the window in the race to get page hits.
This perhaps came across as unnecessarily irritable... but I'm a bit tired of the attention that the "nuclear scare" is getting, while the thousands of people killed in the friggin tsunami are just a footnote.
If it gets the salient points that you're interested in across, then it sounds like it doesn't matter (for you) whether it was a shill posting or not. When I read these, the basic facts are definitely useful - but I'm also looking for an honest evaluation of the book's content. In this case (and in the case of all Packt reviews I've seen here in the last 1-2 years) we are given details about the content of the book; but told very little about the quality of that content.
No, I skimmed and saw Packt and didn't read anything else. They've been using their shills to advertise their books here for a long time now.
It's pretty ridiculous - they guarantee success by publishing fact-light crap. The more outrageous and/or preposterous their content, the more people will link to them, the more hits they get, the more money they get. I mean, do you seriously think this guy believes what he wrote? Or is it more likely that he laughed as he wrote it, thinking of what kind of comments his article is going to get?
Please, o omnipotent mod, tell me how my post is offtopic to the parent post?
Ultimately, my issue now is a matter of presentation - since, as I said, we're forced to group crypto and identification together at present. I could agree with warning the user that it's not an authoritative cert. Where I have issue is displaying a malware-type warning that brings the browsing experience to a screeching halt and requires a multi-step process to work around. Why not the simple banner that's common for notifications: "This host is not guaranteed to be xyz.com." with dropdown options: [Learn More] [Just this Once] [It's OK I trust them] [Get me Out Of here]"
Tangentally: keep in mind too that an externally signed cert is not authoritative proof of identification anyway - these processes are subject to exploit. If somebody's gone to the trouble of a competent MITM attack, you don't think they could do so with a cert that is a) signed by a trusted authority and b) gives a reasonable veneer of credibility to the end user (such as the URL bar showing "Some Corporation, Inc" vs "someCorporation inc" ?
ncrypted connections to unidentified endpoints are not safer than unencrypted connections because there's no way to detect a man in the middle, unless you obtained the certificate also through a separate secure channel (in this case you can add it to your browser's certificate store and never get a warning again). But I fully agree that some browsers have become far too annoying in the way their UI handles such a situation.
That's like saying hopping onto a train with an unknown destination won't get you out of the rain.
Just because you don't know where you're going doesn't mean you're not going to be dry when you get there.
As I've been saying elsewhere in this thread - SSH manages to use separate keys for crypto and ident just fine. Why wouldn't we do the same thing with https?
By separating identity from encryption (which provides over-the-wire safety even if you can't be sure of where you're sending your data), there's no longer a need to frighten people away from web sites with overstated error messages.
When you connect to an SSH host for the first time, most clients will provide you a visual version ofthe host public key and ask you to confirm that they are who they say they are. This is not a big scary message, just a simple prompt saying "Hey, is this the right key fro XYX.com?"
It remembers that approval, then and ONLY if the key ever changes for that host does it give you the big scary message.
Sounds infinitely more logical to me.
Why shouldn't this be the standard model? Encryption *is* independent of identity confirmation: yes, it's possible that you're not sending to who you think you are when you separate them. On the other hand, you're still protected from anybody monitoring over the wire or over the air. This is an improvement over the current scenario which is "all or nothing" -- because too many places choose "nothing".
Under the theory that there's no valid use other than identification, refusal of self-signed certs makes perfect sense. Unfortunately, that theory has little to do with reality.
Yeah, I tried to put my < 1 yr old to work. He looked at me and was like "No, man. Shut up and feed me. Also, my diaper needs to be changed. Get on it."
Hm, I should have been more clear. What I meant was: how likely is it that Google would be so reluctant to suspend the accounts of someone who fraudulently posted even one pirated app?
How likely would this be to occur if there wasn't so much emphasis on having the highest number of available apps in an app store?
Helpful, but I'd recommend looking closer. adblock doesn't stop everything even with a good list sub.
The copyright would be on the content of the files (even comments), not executable code vs- not, wouldn't it?
No, I think he's saying that you get what you pay for.
I've got free news from:
That's what you think. When something is free, it's always necessary to question who is paying the cost, and how. What are you giving up in exchange for your 'free' news? At the very least, the vast majority are giving up significant information about their reading and browsing habits.
Damn, you were seconds away from getting +5 funny with this one AC
I think you missed the part where its world premiere will be direct to BT/DVD... thus, no box office.
The First Amendment only protects you from government prosecution. Getting suspended from school clearly does not count.
Yet the school is acting as an agency of the government, is it not? *especially* in this case where the directive is coming from the federal level?
Sorry. I'm just really noticing lately the how stereotypical the kneejerk negative replies that we see here.
Here are the basic templates they seem to follow thus far:
Who votes these up, anyway? Or does the firehose only get used to make us feel like we have a say in things..
My point was, though, that if someone does actually work in an industry, there are things you learn because it's your job to learn them. When posting a quick reply to /., you may not have the time (or desire) to track down where the knowledge came from if it's part of the basic ruleset you work with every day.
Who watches the watchers wouldn't apply - because the watched would also be the watcher.