The H-1Bs seem to me to be more of a distraction. However, I'm biased: I'm a Canadian in the US on an H-1B. But, as an H-1B holder, I know something of the process involved.
There are annual limits on the number of H-1Bs that the US hands out. That number is 65k plus an additional 20k for people with masters degrees. I know in 2008, they got more than double the cap on the first day and instituted a lotter, but in 2009, there were very few applications because of the failing economy. I'm pretty sure that most years, the 20k masters cap is never reached, and I think the 65k in 2009 wasn't reached, either.
Anyway, H-1Bs are good for 3 years, extendable up to an additional 2. This means that the theoretical maximum number of legal H-1Bs in the US at any one time is 5 * 85k = 425k. That's less than 0.2% of the population and seems unlikely to me to significantly affect the unemployment rate.
Another point is that H-1B workers are required, by law, to be paid at least the "prevailing wage" based on their work and geographical location. While this is by no means perfect, it does provide some protection against wage depression.
Am I saying the H-1B program is perfect? God, no. There is a lot of abuse. People apply for H-1Bs on false pretenses, the green card application process is dubious to say the least, and the spouses of H-1B holders cannot work unless they acquire their own visas.
The number I quote can be inflated a little because H-1B holders who are applying for green cards can basically keep their H-1Bs indefinitely until the green card application is fully processed. This process can take years. One simple way to reduce the number of H-1B holders is just to process these applications faster.
Of course, there are lots of green card holders in general who are immigrants and you could argue that people with permanent residence status are taking US jobs. I think that's actually a more defensible position, since there are simply more of them. And there are more undocumented workers than H-1B holders, too. Lots more. Therefore, my point is that while the H-1B program is not perfect and is certainly abused, I am dubious of kneejerk claims that it is this fraud that in any way hurts "most Americans". With millions of jobs being lost every year due to the economy, there simply aren't enough H-1B workers to account for very much of it.
How does spoofing his identity on Facebook help? Was someone dumb enough to send confidential information regarding a criminal investigation to one of these spoof users via Facebook? Please tell me that's not the case. But the article is short on details and I can't think of any other way such a spoof would cause any kind of leak.
So in Googles view, you shouldn't be allowed to prioritize Vimeo over Youtube, but you SHOULD be able to throttle torrent traffic down and prioritize YouTube videos. This is very bad news.
Score another one for the ignoramuses around here. I bet you've never had any kind of experience managing networks. It's common and in general necessary to prioritize some kinds of traffic over others or many networks simply stop working. For example, one can easily imagine how DNS should be prioritized over most other things because DNS is UDP and also necessary for the internet to work. If you lose a DNS packet, that's a lot worse than losing a TCP packet, which will be retried in due time and throttled. Similarly, VOIP is more important than some random file download, and routing messages between internet servers are more important, still.
It's definitely required that net neutrality not infringe on the right to throttle different kinds of traffic. Otherwise, many networks would either cease to function or function in a much worse state than today. We can make it illegal to restrict traffic based on its source, so you can't prioritize Amazon over Borders and Yahoo over Google, but you still need to be able to say things like control packets are more important than VOIP, which is more important than web traffic, which is more important than email, which is more important than whatever copyrighted material you're pirating off of torrents at the moment.
Fair enough. It is more secure. I was simply trying to illustrate that the original poster's snarky attitude is misplaced since his solution sucks, too.
That makes sense. If you have a 300us processing time for a particular incorrect password and you pad by 1000us +- 500us in all cases, with a uniform distribution, then it's relatively easy to guess, with known confidence, how long the real processing took, since the average of multiple attempts will come out to 1300us. moe generally, adding a random sleep with any known distribution is doomed to failure.
The easiest way to do this is to define a time, X, that is longer than all expected processing times. Then you force all operations to take exactly X time.
But if you sleep, you may not wake up for a long time. Processes that relinquish the cpu could take a while to schedule again on machines with heavy load. When you're talking just a few dozen instructions for the additional compares, since most strings ought to be short, it's far better to finish the comparison.
I know, I know, you'll say it's "not a big deal", but you probably just don't deal with real users that expect to have low latency responses to their requests.
I know I shouldn't feed the trolls, but I do have to add one thing.
The analogy to the two minute hate doesn't just imply that there's a regularly allotted time for hatred. It also implies that the reasons for it are not well understood and possibly fabricated. If you don't understand that, you obviously haven't read the book, or you weren't smart enough to comprehend it.
Also, the words "certain respects" never appeared in the post to which I responded (nor, for that matter, anywhere in this thread except your post), and, last I checked, having read a book doesn't take a mighty intellect, but I realize that point may be contentious among some.
Because at least ten bloggers have said there is a problem.
Actually, there's a class action lawsuit about the antenna problem. That suggests it's more than ten bloggers, but hey, don't let facts get in the way of your "satire."
Curating is evil because it takes away our freedom to download shoddy and dangerous apps but they should have blocked all those fart applications.
Actually, the argument, as I understand it, goes that if Apple were doing a good job curating, why are there so many useless apps? It seems they are curating only to block apps they don't like not ones that are bad for the customer. But I guess subtlety isn't your strong suit.
Besides, there's nothing wrong with curating. Android also has it. The problem is when the phone doesn't let you install apps by any other means except the curated source.
Gigahertz antenna design is a black art, but obviously Apple designers are far less competent than Joe Blogger. Apple could easily have foreseen each and every abuse of the store because, ehm, well, they just could.
Once again, subtlety isn't your thing. The point of the argument is that curating doesn't help. The majority of the apps are crap, so why bother? Plus, the antenna issue does seem exactly like the kind of thing that you ought to discover in QA. But I suspect this was due to Apple's well known secrecy, even within itself. If you have only a small number of people working on it, and even the ones who work on it don't get to know that they are (yes, this does happen within Apple; for example, you can be asked to implement feature X without knowing that feature X is for the new iPhone), then you have a lot less chance for testing the product before it goes to market. So yes, I blame Apple for the antenna problem. Perhaps if they hadn't been so paranoid and had dogfooded the phone more, someone would have noticed that the damned thing doesn't work if you happen to hold it in a way they didn't expect. Or maybe they did know and they went to market, anyway, and then realized it was a mistake. I can accept that a lot more since it means they aren't incompetent, they just misjudged their customers.
The demand for a fix NOW, NOW, NOW: If Apple doesn't respond for a week, they obviously don't want to admit there is a problem, and they don't care, and they are incompetent, and they have really gone downhill and they only sell to sheeple in the first place. Oh and have I said already that I want a fix for this problem NOW, NOW, NOW?
Honestly, WTF? I really don't see what's so hard about issuing a notice saying, "We're working on the problem. We expect to have more information in two weeks." If Apple leaves you hanging for a week with a broken phone without giving you even that much, you can complain all you like and return the thing. Serves 'em right.
Yep, Apple is a regular Jesus Christ, martyred all over Slashdot's front page.
Let's count the ways that Apple is just like Emmanuel Goldstein.
Emmanuel Goldstein was a fictional creation of the oligarchy to direct the hatred of the masses away from them.
Actually, hmm, that doesn't sound the slightest bit like Apple. Let's try again.
Goldstein was the purported author of a book that explains the way the oligarchy controlled the masses. Hmm, that could be analagous to DRM and closed platforms, but I'm still not really seeing it, since that makes Apple Big Brother and not Goldstein, although admittedly in the book, Goldstein is a fabrication of Big Brother, so maybe in a twisted way it works.
Finally, Goldstein supposedly had a network of people undermining the ruling party. The party spread this information to create fear in the populace. I haven't seen Apple saying Microsoft or Google is infiltrating their customers and undermining them from within.
Nope. All I can figure is that Apple is doing a bad job with the app store and you suck at analogies. But better luck next time.
I could predict that Ford's are about to announce a flying car, and in 50 years or so, I'll look like a frikkin' genius.
It doesn't work that way. There was an article on here a few weeks back about all the things Bill Gates predicted in The Road Ahead, and he had a lot of misses. Just predicting something will happen because it could doesn't make it automatically right. For example, I think the flying car prediction, although tongue-in-cheek, is wrong and a good example of how social factors are often neglected in such predictions. Consider: How dangerous is driving now? Do you think it will be safer with flying cars? How bad are drivers today? Do you think they'll be better in three dimensions? How fuel efficient will a flying car be? Do you think that energy prices will be low enough to allow this?
It's my prediction that the only way we'll ever get flying cars is if the car is completely autonomous and powered by nuclear fusion. Even then, it seems unlikely that a normal person could keep the thing in proper working order so as not to result in regular crashes, causing much damage to people and buildings on the ground.
My point is, it's hard to guess where tech is going. Even getting things this right is impressive, in my book. That doesn't mean I don't take tech analysts with a huge grain of salt. I just finished explaining why what they do is really hard and unreliable. If Enderle managed to get this much right, I think he deserves to pat himself on the back. That's not to say I'll believe him the next time he comes out to say something crazy, though.
I'm not sure what your point wrt Enderle is. There are several predictions in that article, all of which are correct, but with some caveats.
Apparently, Enderle said that Apple would switch to Intel chips by the end of 2003. He also said it would use Windows. He was wrong about the year (it was 2006), but Apple computers now run Windows as an option, and they are Intel chips.
Enderle predicted Apple would make smaller, cheaper ipods based on flash memory. Right on all counts.
He predicted that Apple would make an ipod that played video. Right again.
Obviously, he was wrong about the timelines on most (all?) of these, but overall, I'd say that's a pretty impressive record. I certainly wouldn't have called the ipod moving to flash in 2003; at least, not for a long while. I also wouldn't have called Apple moving to x86. He was two years early on the first one and three on the second.
Anyway, I don't think you were trying to imply that this poll is something that's insulted by short-sighted blogs, but is just a little ahead of its time. Maybe you meant it's the Fox News of polling?
RTFA. They wanted to find open access points for people to use when walking around with mobile phones and accidentally captured data as well as AP information.
The real problem with allowing self-signed certs is that it means that https doesn't mean you're secure anymore.
Yes, technical users might be able to use them safely, but I wouldn't trust myself to be that attentive. Consider if I clear all my local browser state, or if I'm using a new computer and I go to my bank's web site. I've entered https so I think I'm safe. Do you think I'm going to notice the lack of a lock in the browser window? What about sites like facebook where I don't even see https, even though it's authenticated over https? For situations like these, the only warning you get that something is up is the self-signed cert problem.
Of course, with facebook, a mitm attack could remove all ssl and nobody would know, which is why it's a bad idea not to put your login page on ssl. However, for most users, simply seeing or typing https means "I'm secure." Allowing self-signed certs breaks that.
I'm 100% certain they don't hash the password for the token. They simply generate a random token and store it in a database somewhere.
I have no inside knowledge. But that way works equally well as long as you are running a stateful service, anyway.
If the server (or att in this case) sends the page, including the header that sets the cookie, to the wrong user, that user has control of the session for as long as the cookie is valid.
That is an extremely unlikely scenario, though it did appear to happen once, according to one claim. That's because even a really stupid proxy won't include the cookie headers when caching pages.
It isn't limited to login since the cookie expiration time is updated fairly frequently (perhaps every page).
No, facebook's login cookie is set to expire at the end of the session, and if all the state is server side, as you say, then there's never any reason to change it.
I read it as two sessions getting switched. I don't think of a proxy cache mixup as wires getting crossed, even though there apparently were two users who claim they got switched in just this fashion.
Funny coincidence considering gmail just switched to SSL a few days ago.
I would find it very unlikely that the auth servers care about NAT. Putting the IP address in the session cookie is a recipe for disaster considering how widespread NAT, dynamic IPs, and proxies are.
Most likely, as another user has pointed out, it's a proxy disobeying the cache headers in the responses to Facebook's pages. It's also possible that Facebook is setting these headers incorrectly, though that seems less likely. There have also been reports of session cookies going to the wrong machines, which means that there may be multiple problems here (or those reports are crap).
It seems that maybe it is that unlikely scenario. If you go to the second page of TFA:
The Sawyers experienced a different glitch. Coe said an investigation points to a "misdirected cookie." A cookie is a file some Web sites place on computers to store identifying information -- including the user name that Facebook members would enter to access their pages. Coe said technicians couldn't figure out how the cookie had been routed to the wrong phone, leading it into the wrong Facebook account.
I don't know how you can misconfigure a proxy that badly, but leave it to AT&T, I guess.
A strong hash of your password is, for all intents, random. The point of a hash is that it's very hard to go from the hash back to the input string to the hash.
The "magic" about cookies is that they are stored in your browser. Therefore, once you've got your cookie, no amount of "wire switching" is going to give that cookie to someone else.
What could happen is that the response to the login session goes to the wrong browser, but that seems a lot less likely since you'd need two sessions logging in simultaneously.
Yes, it's possible that it's a cache control header being ignored by a proxy, in which case the site would most likely be read-only.
Yes, but typically, the way you log in to one of these services requires that you have cookies enabled. There's a cookie in your local browser that has information derived from your password. For example, imagine facebook stores your password in its database as a sha1 hash of a salt and your password. E.g. the entry facebook has stored might look like this:
salt = string(rand64()) password_hash = sha1(salt + password)
Now, to authenticate, you send facebook your password and they use the saved salt to see if it matches the stored sha1 hash. What they send you back would be a token to put into your cookie like this:
Now, they make the token good only for a certain amount of time after the date. Say three hours. When facebook gets another request, it checks to see if the token is valid by comparing the date and username and then looking up the password hash for that username. It then recomputes the sha1 hash in the token to make sure it's valid.
Using this model, it's completely impossible to log in to another account by "switching the wires". You can log in to an account simply by stealing the cookie, but that grants you log in access for only a single session.
It is not "that they are killing people", it is "who they are killing" that gets human rights violations involved
Capital punishment.
It is not "that they are discriminating", it is "who they are discriminating against" that gets human rights violations involved
Gay marriage.
It is not "that they are rigging elections", it is "what their political platform is" that gets human rights violations involved
Election zoning.
Well, then, seems that censorship fits right in with those examples. It's definitely the degree to which you do it in all of them that makes it a human rights issue.
The point is that censorship prevents the Chinese from making informed decisions about their lives. How can you be a responsible citizen if basic information is withheld from you? You claim rigging elections is a violation of human rights and yet censorship prevents even the idea of a fair election.
Not that I'm saying we should do anything about it. It's up to the Chinese to save themselves from their government. Google and the US aren't going to change much without the Chinese people getting some idea about the harm their government is doing to them.
Slashdot Mirror
Canadians who wish to get green cards often get H-1Bs.
The H-1Bs seem to me to be more of a distraction. However, I'm biased: I'm a Canadian in the US on an H-1B. But, as an H-1B holder, I know something of the process involved.
There are annual limits on the number of H-1Bs that the US hands out. That number is 65k plus an additional 20k for people with masters degrees. I know in 2008, they got more than double the cap on the first day and instituted a lotter, but in 2009, there were very few applications because of the failing economy. I'm pretty sure that most years, the 20k masters cap is never reached, and I think the 65k in 2009 wasn't reached, either.
Anyway, H-1Bs are good for 3 years, extendable up to an additional 2. This means that the theoretical maximum number of legal H-1Bs in the US at any one time is 5 * 85k = 425k. That's less than 0.2% of the population and seems unlikely to me to significantly affect the unemployment rate.
Another point is that H-1B workers are required, by law, to be paid at least the "prevailing wage" based on their work and geographical location. While this is by no means perfect, it does provide some protection against wage depression.
Am I saying the H-1B program is perfect? God, no. There is a lot of abuse. People apply for H-1Bs on false pretenses, the green card application process is dubious to say the least, and the spouses of H-1B holders cannot work unless they acquire their own visas.
The number I quote can be inflated a little because H-1B holders who are applying for green cards can basically keep their H-1Bs indefinitely until the green card application is fully processed. This process can take years. One simple way to reduce the number of H-1B holders is just to process these applications faster.
Of course, there are lots of green card holders in general who are immigrants and you could argue that people with permanent residence status are taking US jobs. I think that's actually a more defensible position, since there are simply more of them. And there are more undocumented workers than H-1B holders, too. Lots more. Therefore, my point is that while the H-1B program is not perfect and is certainly abused, I am dubious of kneejerk claims that it is this fraud that in any way hurts "most Americans". With millions of jobs being lost every year due to the economy, there simply aren't enough H-1B workers to account for very much of it.
How does spoofing his identity on Facebook help? Was someone dumb enough to send confidential information regarding a criminal investigation to one of these spoof users via Facebook? Please tell me that's not the case. But the article is short on details and I can't think of any other way such a spoof would cause any kind of leak.
Score another one for the ignoramuses around here. I bet you've never had any kind of experience managing networks. It's common and in general necessary to prioritize some kinds of traffic over others or many networks simply stop working. For example, one can easily imagine how DNS should be prioritized over most other things because DNS is UDP and also necessary for the internet to work. If you lose a DNS packet, that's a lot worse than losing a TCP packet, which will be retried in due time and throttled. Similarly, VOIP is more important than some random file download, and routing messages between internet servers are more important, still.
It's definitely required that net neutrality not infringe on the right to throttle different kinds of traffic. Otherwise, many networks would either cease to function or function in a much worse state than today. We can make it illegal to restrict traffic based on its source, so you can't prioritize Amazon over Borders and Yahoo over Google, but you still need to be able to say things like control packets are more important than VOIP, which is more important than web traffic, which is more important than email, which is more important than whatever copyrighted material you're pirating off of torrents at the moment.
Hell no. The stupidest Microsoft invention ever is, at least from a security perspective, far and away ActiveX. There's nothing else even close.
Fair enough. It is more secure. I was simply trying to illustrate that the original poster's snarky attitude is misplaced since his solution sucks, too.
Congratulations. You've just implemented a system that is exactly no more secure. See posts above for why.
I suddenly wish I hadn't posted in this thread so I could mod up you to offset that troll mod someone lacking a sense of humor gave you.
That makes sense. If you have a 300us processing time for a particular incorrect password and you pad by 1000us +- 500us in all cases, with a uniform distribution, then it's relatively easy to guess, with known confidence, how long the real processing took, since the average of multiple attempts will come out to 1300us. moe generally, adding a random sleep with any known distribution is doomed to failure.
The easiest way to do this is to define a time, X, that is longer than all expected processing times. Then you force all operations to take exactly X time.
But if you sleep, you may not wake up for a long time. Processes that relinquish the cpu could take a while to schedule again on machines with heavy load. When you're talking just a few dozen instructions for the additional compares, since most strings ought to be short, it's far better to finish the comparison.
I know, I know, you'll say it's "not a big deal", but you probably just don't deal with real users that expect to have low latency responses to their requests.
I know I shouldn't feed the trolls, but I do have to add one thing.
The analogy to the two minute hate doesn't just imply that there's a regularly allotted time for hatred. It also implies that the reasons for it are not well understood and possibly fabricated. If you don't understand that, you obviously haven't read the book, or you weren't smart enough to comprehend it.
Also, the words "certain respects" never appeared in the post to which I responded (nor, for that matter, anywhere in this thread except your post), and, last I checked, having read a book doesn't take a mighty intellect, but I realize that point may be contentious among some.
Actually, there's a class action lawsuit about the antenna problem. That suggests it's more than ten bloggers, but hey, don't let facts get in the way of your "satire."
Actually, the argument, as I understand it, goes that if Apple were doing a good job curating, why are there so many useless apps? It seems they are curating only to block apps they don't like not ones that are bad for the customer. But I guess subtlety isn't your strong suit.
Besides, there's nothing wrong with curating. Android also has it. The problem is when the phone doesn't let you install apps by any other means except the curated source.
Once again, subtlety isn't your thing. The point of the argument is that curating doesn't help. The majority of the apps are crap, so why bother? Plus, the antenna issue does seem exactly like the kind of thing that you ought to discover in QA. But I suspect this was due to Apple's well known secrecy, even within itself. If you have only a small number of people working on it, and even the ones who work on it don't get to know that they are (yes, this does happen within Apple; for example, you can be asked to implement feature X without knowing that feature X is for the new iPhone), then you have a lot less chance for testing the product before it goes to market. So yes, I blame Apple for the antenna problem. Perhaps if they hadn't been so paranoid and had dogfooded the phone more, someone would have noticed that the damned thing doesn't work if you happen to hold it in a way they didn't expect. Or maybe they did know and they went to market, anyway, and then realized it was a mistake. I can accept that a lot more since it means they aren't incompetent, they just misjudged their customers.
Honestly, WTF? I really don't see what's so hard about issuing a notice saying, "We're working on the problem. We expect to have more information in two weeks." If Apple leaves you hanging for a week with a broken phone without giving you even that much, you can complain all you like and return the thing. Serves 'em right.
Yep, Apple is a regular Jesus Christ, martyred all over Slashdot's front page.
Let's count the ways that Apple is just like Emmanuel Goldstein.
Emmanuel Goldstein was a fictional creation of the oligarchy to direct the hatred of the masses away from them.
Actually, hmm, that doesn't sound the slightest bit like Apple. Let's try again.
Goldstein was the purported author of a book that explains the way the oligarchy controlled the masses. Hmm, that could be analagous to DRM and closed platforms, but I'm still not really seeing it, since that makes Apple Big Brother and not Goldstein, although admittedly in the book, Goldstein is a fabrication of Big Brother, so maybe in a twisted way it works.
Finally, Goldstein supposedly had a network of people undermining the ruling party. The party spread this information to create fear in the populace. I haven't seen Apple saying Microsoft or Google is infiltrating their customers and undermining them from within.
Nope. All I can figure is that Apple is doing a bad job with the app store and you suck at analogies. But better luck next time.
It doesn't work that way. There was an article on here a few weeks back about all the things Bill Gates predicted in The Road Ahead, and he had a lot of misses. Just predicting something will happen because it could doesn't make it automatically right. For example, I think the flying car prediction, although tongue-in-cheek, is wrong and a good example of how social factors are often neglected in such predictions. Consider: How dangerous is driving now? Do you think it will be safer with flying cars? How bad are drivers today? Do you think they'll be better in three dimensions? How fuel efficient will a flying car be? Do you think that energy prices will be low enough to allow this?
It's my prediction that the only way we'll ever get flying cars is if the car is completely autonomous and powered by nuclear fusion. Even then, it seems unlikely that a normal person could keep the thing in proper working order so as not to result in regular crashes, causing much damage to people and buildings on the ground.
My point is, it's hard to guess where tech is going. Even getting things this right is impressive, in my book. That doesn't mean I don't take tech analysts with a huge grain of salt. I just finished explaining why what they do is really hard and unreliable. If Enderle managed to get this much right, I think he deserves to pat himself on the back. That's not to say I'll believe him the next time he comes out to say something crazy, though.
I'm not sure what your point wrt Enderle is. There are several predictions in that article, all of which are correct, but with some caveats.
Apparently, Enderle said that Apple would switch to Intel chips by the end of 2003. He also said it would use Windows. He was wrong about the year (it was 2006), but Apple computers now run Windows as an option, and they are Intel chips.
Enderle predicted Apple would make smaller, cheaper ipods based on flash memory. Right on all counts.
He predicted that Apple would make an ipod that played video. Right again.
Obviously, he was wrong about the timelines on most (all?) of these, but overall, I'd say that's a pretty impressive record. I certainly wouldn't have called the ipod moving to flash in 2003; at least, not for a long while. I also wouldn't have called Apple moving to x86. He was two years early on the first one and three on the second.
Anyway, I don't think you were trying to imply that this poll is something that's insulted by short-sighted blogs, but is just a little ahead of its time. Maybe you meant it's the Fox News of polling?
RTFA. They wanted to find open access points for people to use when walking around with mobile phones and accidentally captured data as well as AP information.
The real problem with allowing self-signed certs is that it means that https doesn't mean you're secure anymore.
Yes, technical users might be able to use them safely, but I wouldn't trust myself to be that attentive. Consider if I clear all my local browser state, or if I'm using a new computer and I go to my bank's web site. I've entered https so I think I'm safe. Do you think I'm going to notice the lack of a lock in the browser window? What about sites like facebook where I don't even see https, even though it's authenticated over https? For situations like these, the only warning you get that something is up is the self-signed cert problem.
Of course, with facebook, a mitm attack could remove all ssl and nobody would know, which is why it's a bad idea not to put your login page on ssl. However, for most users, simply seeing or typing https means "I'm secure." Allowing self-signed certs breaks that.
I have no inside knowledge. But that way works equally well as long as you are running a stateful service, anyway.
That is an extremely unlikely scenario, though it did appear to happen once, according to one claim. That's because even a really stupid proxy won't include the cookie headers when caching pages.
No, facebook's login cookie is set to expire at the end of the session, and if all the state is server side, as you say, then there's never any reason to change it.
I read it as two sessions getting switched. I don't think of a proxy cache mixup as wires getting crossed, even though there apparently were two users who claim they got switched in just this fashion.
Funny coincidence considering gmail just switched to SSL a few days ago.
I would find it very unlikely that the auth servers care about NAT. Putting the IP address in the session cookie is a recipe for disaster considering how widespread NAT, dynamic IPs, and proxies are.
Most likely, as another user has pointed out, it's a proxy disobeying the cache headers in the responses to Facebook's pages. It's also possible that Facebook is setting these headers incorrectly, though that seems less likely. There have also been reports of session cookies going to the wrong machines, which means that there may be multiple problems here (or those reports are crap).
Replying to myself:
It seems that maybe it is that unlikely scenario. If you go to the second page of TFA:
I don't know how you can misconfigure a proxy that badly, but leave it to AT&T, I guess.
A strong hash of your password is, for all intents, random. The point of a hash is that it's very hard to go from the hash back to the input string to the hash.
The "magic" about cookies is that they are stored in your browser. Therefore, once you've got your cookie, no amount of "wire switching" is going to give that cookie to someone else.
What could happen is that the response to the login session goes to the wrong browser, but that seems a lot less likely since you'd need two sessions logging in simultaneously.
Yes, it's possible that it's a cache control header being ignored by a proxy, in which case the site would most likely be read-only.
Yes, but typically, the way you log in to one of these services requires that you have cookies enabled. There's a cookie in your local browser that has information derived from your password. For example, imagine facebook stores your password in its database as a sha1 hash of a salt and your password. E.g. the entry facebook has stored might look like this:
salt = string(rand64())
password_hash = sha1(salt + password)
Now, to authenticate, you send facebook your password and they use the saved salt to see if it matches the stored sha1 hash. What they send you back would be a token to put into your cookie like this:
token = (date, username, sha1(password_hash + date))
Now, they make the token good only for a certain amount of time after the date. Say three hours. When facebook gets another request, it checks to see if the token is valid by comparing the date and username and then looking up the password hash for that username. It then recomputes the sha1 hash in the token to make sure it's valid.
Using this model, it's completely impossible to log in to another account by "switching the wires". You can log in to an account simply by stealing the cookie, but that grants you log in access for only a single session.
Capital punishment.
Gay marriage.
Election zoning.
Well, then, seems that censorship fits right in with those examples. It's definitely the degree to which you do it in all of them that makes it a human rights issue.
The point is that censorship prevents the Chinese from making informed decisions about their lives. How can you be a responsible citizen if basic information is withheld from you? You claim rigging elections is a violation of human rights and yet censorship prevents even the idea of a fair election.
Not that I'm saying we should do anything about it. It's up to the Chinese to save themselves from their government. Google and the US aren't going to change much without the Chinese people getting some idea about the harm their government is doing to them.