All Americans suck because all European politicians are just as bad as their American counterparts.
Fuck the EU politicians.
Signed, a citizen of Denmark.
Interesting anecdote: "Junibevægelsen mod EU" (the june movement against EU, a quite small political party) did arrange a weekend trip to Bruxelles a good year ago, where we got to meet with a politician's advisor gave a talk about the market price of corn and agricultural subsidies, and a journalist who spoke (among other things) about telephony and roaming charges (the politicians wanted to offload their phone bill on the citizens; self-serving bastards). And of course some time off to goof off and eat dutch fries (you know, with fish and mayonnaise).
Here's the punchline: what I learned from that trip is that although it is indeed possible to travel to Belgium, and if you prepare in advance you may be able to get the attention of a politician, citizens of pretty much anything other than Belgium have to spend a large amount of time doing so, plus they have to take off a sizable portion of their work week to meet the politicians when they're actually there. In short, regular citizens don't have any real access to a political body that governs non-trivial parts of their lives.
Your suggested business model works great for some kinds of software, and not at all for others.
One case is the mass-market software. In economic theory, this is the transaction overhead cost (is that the right term); you can afford it if you have five big customers. You can't afford it if you have five million small customers. You also lose the opportunity of making something and finding out later who your customers are.
This also happens in the real world: the wii, the iphone, the thinkpads; they might be made with one or more particular market segments in mind, but no agreements with the buyers before they were made, which is of real benefit both to the buyers and the sellers.
I'm not saying that your parent isn't wrong or presenting his view with bad rhetoric, but let's get the whole truth on the table, yeah?
Well, the problem is that it's called Intellectual Property. I have nightmares about an Intellectual Prison, where instead of my usual diet of Agarwal and Lewin (EE 6.002 and physics 8.02 from ocw) I'm forced to watch Teletubbies and Fox news.
A copyright defines rights which are granted to somebody from the government.
Almost true.
A copyright defines a set of rights which is temporarily given up by everybody except one entity, for the benefit of that entity. The giving up of those rights is mandatory, in the sense that the law says you have to, and voluntary in the sense that The People (in theory) chooses what the law says.
I think the generally accepted philosophical POV on/. is that when you're born, you're granted some set of rights. No more rights can come into existence, but they can be taken away or not. The government has the power, when backed by the will of the people, to take away some of those rights, but is unable to create rights.
The cynic in me believes that [IE is] giving you all sorts of 'helpful' warnings [...] to push website developers into buying certificates. Microsoft is in Verisign's pocket? Please share, it must be some good tobacco;)
I can see the (very contrived) profit motive of a "bad" firefox specifically on ubuntu though (Mark Shuttleworth was involved in Thawte, a CA), but you talk about firefox in general.
and it gives no guarantee whatsoever of who you are talking to, as some people are stupidly claiming around here. Here's my razor, made up on the spot: never attribute to stupidity what can adequately be explained by ignorance (it's unnecessarily offensive, for one).
Now, care to share your knowledge? I'm thinking that the domain name of the certificate owner is baked into the certificate. Sure, they might let others use *.webhosting.bankofbumfukistan.com, but I think there's a competitive advantage in not doing that.
This is a fairly long post. Here's the short version:
We don't have self-signed certificates because the CAs' didn't do the job properly. We have them because they solve a problem that isn't the CAs' job to solve.
(and I think people may be misusing self-signed certificates)...Now, onto the long version...
In my opinion SSL mixed two requirements, identification of site owner and secure communication.
Saying that something is secure raises the question "against what?". I would prefer to say that the two requirements going into SSL are identification versus confidentiality and authenticity, which I think captures the security requirements you had in mind.
(Remedial crypto-lingo: authenticity means the receiver receives what you sent; confidentiality means no one else learns anything about the message).
This meant that many sites applied for SSL certificates just for secure communication.
Which is rather silly of them, really. If you give up identification---that is, the trusted (although, I think your point in part is, not very trustworthy) third party's verifiable statement that key x is connected to person y---you get the same security as with self-signed certificates: you get a authentic confidential communication, you just don't know with confidence who you're talking to.
For some scenarios, this might be okay. As a non-cryptographic example, I know that Simon Tatham wrote putty, and that he wrote a puzzle collection. Is his real name Simon? Does he live where he claims to? I don't know, and I don't care (no offense, Simon). His identity, in my eyes, is the connection from putty to one entity and the connection of the puzzle collection to the same entity. Identity is association, and all I want to associate is one chunk of code with another.
For a cryptographic example, the identity of Sourceforge, in my mind, is one establish through associating things that only happen on the net: oh--this project is on sourceforge, oh--that project is on sf, oh--my project is on it. In that case, I would be happy to receive a self-signed certificate, and trust that certificate to vouch for sourceforge (and sourceforge only). Then, I would know that it's always the same sourceforge I'm connecting to (which is what I want), but not who I'm actually connecting to (which doesn't have any meaning to me anyways).
For others, it is not. When I contact my bank, I want to know that the web page is associated with something that isn't on the web: the bank's physical presence in my country (its big money vault, its staff, its stocks as listed on the stock exchange). I can't verify this over the web, so I need someone to do that for me. This is the service performed by the CA.
These covers the cases when you want authentic confidential with and without identification. I can't right now imagine a scenario where I would want identification but no confidentiality or authenticity.
They should have allowed secure communication without certificates, and had properly authorised certificates to start with. Since they didn't we have the situation where people have to self-sign
I agree with your second point: they should properly verify (to the extent reasonable, of course) that the certificates they sign are only going to be used by the entity named in the certificate.
Your first point I don't completely understand. They did allow secure communication, since you don't need a CA if you just want a plain old unauthenticated key exchange (such as Diffie-Hellman). The standard way to do unauthenticated key exchange in today's software environment is, for practical reasons, with self-signed certificates.
So, like I said in the short version: self-signed certificates is not an inferior solution to the problem, it's a perfect solution to a different problem.
Now ISPs have a problem with users that run applications that present a high constant load because they don't fit the statistical model. High volume P2P is the primary offender right now. Agreed, although I think the description of P2P with the term "offender" comes off as biased against yet another valid traffic patterns.
If people are using these sorts of applications when the network is heavily loaded it seems to me quite reasonable that traffic based on interactive applications (VOIP, video, HTTP) should receive priority. I disagree. I think each user should be given an equal share of the bandwidth, and be able to decide on their own how best to distribute that share among their desired applications.
ANY good computing system should favor interactive applications over non-interactive applications. It is a basic system design principle. This can be done by the user's system. There's no need for the ISP to second-guess the user.
Since this is the case, I would say that it's more important that the user is in control, so he can choose the behavior that's right for him, than to have a default behavior that works for most people.
Consider this analogy: would you prefer a benevolent dictatorship to a democracy? Why not? Does it have to do with your influence on the governance?
You have a network that is dedicated to that one application. That is NOT what I as an end user want. Well, if you leave it to the ISPs to choose per-application network performance, you end up with an internet dedicated to the applications the ISP likes. Expect that to not include any services that competes with their offerings (say, cable tv).
Could you explain what would be lost if such as page was clearly marked as highly technical, and was optional to read?
I'm thinking something along the lines of the link text being "high technical information" and the page having a header that goes "The information on this page is meant for people who want to know the technical details of how internet service is provided by $ISP. It's written with the assumption that the reader knows what TCP window sizes, anycast routing and best-efforts networks are and which practical implications they have. If these terms are new to you, you probably want $USER_FRIENDLY_DOC."
I'm with you on the point that you shouldn't try to force your users to understand the technology (just as the car stereo salesman doesn't wax on/wax off about how frequency modulation works and the benefits of optical versus magnetic storage). But not having to explain something is different from having to not explain it. Why not make both groups of users happy?
11 felony counts of stealing and secreting public records How do you secrete public records? "Help, I'm bleeding highway routes and education budgets!"
Heh, that's some of the hardest labor I've seen go into plagiarism. That is, outside of academia, the movie industry, politics and web forums where pretty much everyone copies everyone else...
If we could get enough people to encrypt their communications, such a flag would be worthless Or one could set up a shell account on Blinkenshell, which is located in Linköping, for the purpose of securely exporting large amounts of random bits to Sweden;)
(let's hope blinkenshell has the bandwidth for that...)
Slashdot Mirror
Here's a reply to your signature:
All Americans suck because all European politicians are just as bad as their American counterparts.
Fuck the EU politicians.
Signed, a citizen of Denmark.
Interesting anecdote: "Junibevægelsen mod EU" (the june movement against EU, a quite small political party) did arrange a weekend trip to Bruxelles a good year ago, where we got to meet with a politician's advisor gave a talk about the market price of corn and agricultural subsidies, and a journalist who spoke (among other things) about telephony and roaming charges (the politicians wanted to offload their phone bill on the citizens; self-serving bastards). And of course some time off to goof off and eat dutch fries (you know, with fish and mayonnaise).
Here's the punchline: what I learned from that trip is that although it is indeed possible to travel to Belgium, and if you prepare in advance you may be able to get the attention of a politician, citizens of pretty much anything other than Belgium have to spend a large amount of time doing so, plus they have to take off a sizable portion of their work week to meet the politicians when they're actually there. In short, regular citizens don't have any real access to a political body that governs non-trivial parts of their lives.
Your suggested business model works great for some kinds of software, and not at all for others.
One case is the mass-market software. In economic theory, this is the transaction overhead cost (is that the right term); you can afford it if you have five big customers. You can't afford it if you have five million small customers. You also lose the opportunity of making something and finding out later who your customers are.
This also happens in the real world: the wii, the iphone, the thinkpads; they might be made with one or more particular market segments in mind, but no agreements with the buyers before they were made, which is of real benefit both to the buyers and the sellers.
I'm not saying that your parent isn't wrong or presenting his view with bad rhetoric, but let's get the whole truth on the table, yeah?
(goes and hugs his gnu, tux and beastie dolls)
Well, the problem is that it's called Intellectual Property. I have nightmares about an Intellectual Prison, where instead of my usual diet of Agarwal and Lewin (EE 6.002 and physics 8.02 from ocw) I'm forced to watch Teletubbies and Fox news.
A copyright defines rights which are granted to somebody from the government.
Almost true.
A copyright defines a set of rights which is temporarily given up by everybody except one entity, for the benefit of that entity. The giving up of those rights is mandatory, in the sense that the law says you have to, and voluntary in the sense that The People (in theory) chooses what the law says.
I think the generally accepted philosophical POV on /. is that when you're born, you're granted some set of rights. No more rights can come into existence, but they can be taken away or not. The government has the power, when backed by the will of the people, to take away some of those rights, but is unable to create rights.
Just a random tangent.
No, running your OS on a toaster only works if the OS is the brain spawn of an angry South African.
Hold on.
Are you trying to say that a very generic and non-particular someone threw a katana at the font?
I can see the (very contrived) profit motive of a "bad" firefox specifically on ubuntu though (Mark Shuttleworth was involved in Thawte, a CA), but you talk about firefox in general.
and it gives no guarantee whatsoever of who you are talking to, as some people are stupidly claiming around here. Here's my razor, made up on the spot: never attribute to stupidity what can adequately be explained by ignorance (it's unnecessarily offensive, for one).Now, care to share your knowledge? I'm thinking that the domain name of the certificate owner is baked into the certificate. Sure, they might let others use *.webhosting.bankofbumfukistan.com, but I think there's a competitive advantage in not doing that.
What am I missing?
This is a fairly long post. Here's the short version:
We don't have self-signed certificates because the CAs' didn't do the job properly. We have them because they solve a problem that isn't the CAs' job to solve.
(and I think people may be misusing self-signed certificates) ...Now, onto the long version...
In my opinion SSL mixed two requirements, identification of site owner and secure communication.
Saying that something is secure raises the question "against what?". I would prefer to say that the two requirements going into SSL are identification versus confidentiality and authenticity, which I think captures the security requirements you had in mind.
(Remedial crypto-lingo: authenticity means the receiver receives what you sent; confidentiality means no one else learns anything about the message).
This meant that many sites applied for SSL certificates just for secure communication.
Which is rather silly of them, really. If you give up identification---that is, the trusted (although, I think your point in part is, not very trustworthy) third party's verifiable statement that key x is connected to person y---you get the same security as with self-signed certificates: you get a authentic confidential communication, you just don't know with confidence who you're talking to.
For some scenarios, this might be okay. As a non-cryptographic example, I know that Simon Tatham wrote putty, and that he wrote a puzzle collection. Is his real name Simon? Does he live where he claims to? I don't know, and I don't care (no offense, Simon). His identity, in my eyes, is the connection from putty to one entity and the connection of the puzzle collection to the same entity. Identity is association, and all I want to associate is one chunk of code with another.
For a cryptographic example, the identity of Sourceforge, in my mind, is one establish through associating things that only happen on the net: oh--this project is on sourceforge, oh--that project is on sf, oh--my project is on it. In that case, I would be happy to receive a self-signed certificate, and trust that certificate to vouch for sourceforge (and sourceforge only). Then, I would know that it's always the same sourceforge I'm connecting to (which is what I want), but not who I'm actually connecting to (which doesn't have any meaning to me anyways).
For others, it is not. When I contact my bank, I want to know that the web page is associated with something that isn't on the web: the bank's physical presence in my country (its big money vault, its staff, its stocks as listed on the stock exchange). I can't verify this over the web, so I need someone to do that for me. This is the service performed by the CA.
These covers the cases when you want authentic confidential with and without identification. I can't right now imagine a scenario where I would want identification but no confidentiality or authenticity.
They should have allowed secure communication without certificates, and had properly authorised certificates to start with. Since they didn't we have the situation where people have to self-sign
I agree with your second point: they should properly verify (to the extent reasonable, of course) that the certificates they sign are only going to be used by the entity named in the certificate.
Your first point I don't completely understand. They did allow secure communication, since you don't need a CA if you just want a plain old unauthenticated key exchange (such as Diffie-Hellman). The standard way to do unauthenticated key exchange in today's software environment is, for practical reasons, with self-signed certificates.
So, like I said in the short version: self-signed certificates is not an inferior solution to the problem, it's a perfect solution to a different problem.
That being said, the case may very well b
So what you're saying is that next year is the year of skynet on the desktop?
--O--...<------ you
Whoosh ;)
So what you're saying is that a slashdot thread without an analogy is like a car with only one liver?
Not to be more anti-american than I have to, doesn't this show that the United States, in some sense, "owns" the internet? If not, why?
Given the nature of software security, I predict it will be
Nintendo - n
Hackers - n+1
For 99% of the time. In other words: Nintendo security is dead, netcraft confirms it.
Let's go over what you said:
Now ISPs have a problem with users that run applications that present a high constant load because they don't fit the statistical model. High volume P2P is the primary offender right now. Agreed, although I think the description of P2P with the term "offender" comes off as biased against yet another valid traffic patterns. If people are using these sorts of applications when the network is heavily loaded it seems to me quite reasonable that traffic based on interactive applications (VOIP, video, HTTP) should receive priority. I disagree. I think each user should be given an equal share of the bandwidth, and be able to decide on their own how best to distribute that share among their desired applications. ANY good computing system should favor interactive applications over non-interactive applications. It is a basic system design principle. This can be done by the user's system. There's no need for the ISP to second-guess the user.Since this is the case, I would say that it's more important that the user is in control, so he can choose the behavior that's right for him, than to have a default behavior that works for most people.
Consider this analogy: would you prefer a benevolent dictatorship to a democracy? Why not? Does it have to do with your influence on the governance?
You have a network that is dedicated to that one application. That is NOT what I as an end user want. Well, if you leave it to the ISPs to choose per-application network performance, you end up with an internet dedicated to the applications the ISP likes. Expect that to not include any services that competes with their offerings (say, cable tv).Could you explain what would be lost if such as page was clearly marked as highly technical, and was optional to read?
I'm thinking something along the lines of the link text being "high technical information" and the page having a header that goes "The information on this page is meant for people who want to know the technical details of how internet service is provided by $ISP. It's written with the assumption that the reader knows what TCP window sizes, anycast routing and best-efforts networks are and which practical implications they have. If these terms are new to you, you probably want $USER_FRIENDLY_DOC."
I'm with you on the point that you shouldn't try to force your users to understand the technology (just as the car stereo salesman doesn't wax on/wax off about how frequency modulation works and the benefits of optical versus magnetic storage). But not having to explain something is different from having to not explain it. Why not make both groups of users happy?
If you want to play games, wouldn't that be Norad II and Norad III?
Let's see:
Nexuiz
Openarena
Urban Terror
World of Padman
Cube 2 -- Sauerbraten (and cube 1 also)
Warsow
Alien Arena
Vegastrike
Adanaxis
(Just off the top of my head.)
1: Giant evil turtle kidnaps princess. But Ganondorf isn't a turtle!
if it you build, come they will? A noat about "it": its the internet's, of coarse ;) (SCNR)
Heh, that's some of the hardest labor I've seen go into plagiarism. That is, outside of academia, the movie industry, politics and web forums where pretty much everyone copies everyone else...
(let's hope blinkenshell has the bandwidth for that...)
Because as we all know, good is dumb! ;)