Slashdot Mirror


User: vux984

vux984's activity in the archive.

Stories
0
Comments
10,772
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 10,772

  1. Re:*illegal* scammers on US Financial Quagmire Bringing Out the Scammers · · Score: 1

    Why not? If I know Joe isn't going to pay me back, but some 3rd party is forcing me to loan him, why should my other customers pay for that 3rd party's incompetence? I agree that there's plenty of blame to go around to everyone involved, but I don't see why banks should have to cover being forced to give loans out to bums.

    Here's an equivalent example. Lets say you ran a store and searched anyone who you suspected of shoplifting, and then they passed a law saying you couldn't do this. Now, this law is going to cost you money... you KNOW some people are going to get away with shoplifting because of it.

    So what do you do? Do you raise prices to cover the loss you are being 'forced' to incur, or do you go bankrupt and then whine at the government that its their law that caused you to go under?

    Most businesses would have coped just fine, and we'd have no sympathy for the business that couldn't figure out how to stay afloat.

    Look, I agree that forcing banks to loan to people who couldn't afford it was a STUPID law, but it didn't CAUSE banks to go bankrupt, the banks did that on their own, by utterly failing to cover the losses the law forced them to make; and indeed they made the problem worse by lying about the risks they were taking on.

  2. Re:*illegal* scammers on US Financial Quagmire Bringing Out the Scammers · · Score: 4, Insightful

    Don't forget that it wasn't just the mortgage brokers, but the government requiring banks to loan to people who normally wouldn't qualify for a loan and couldn't afford to pay it back.

    Trotting this out are you?

    Its true the government did require to make loans to people who wouldn't otherwise qualify, but that's not really the issue at all. They were forced to assume some extra risk by legislation, any remotely thoughtful person would realize that the banks should have MITIGATED this EXTRA risk, by covering it elsewhere.

    To give you an example, if I run a bank, and the government says, you have to lend money to joe, and I know Joe can't afford it, and will probably foreclose, I don't just "do it and blame the government when joe forecloses", I set the interest rate on ALL my customers a little higher to ensure that when Joe forecloses I'm not bankrupt.

    Thus the government requiring the banks to lend to people who they would otherwise not to, is no different than any other regulation placed on banks, all of which costs them money to satisfy, and in each case they simply pass the cost onto their customers.

    Instead, in this case, they just blindly did it, and worse, they then created mortgage backed securities full of these risky loans and then did the most colossally stupid thing... the thing that caused the REAL collapse of the economy... they LIED about how risky these were, leading them to be GROSSLY overvalued.

  3. Re:Your privacy was eroded for you on Give Up the Fight For Personal Privacy? · · Score: 1

    Wrong.

    Care to elaborate. What about it is wrong? Publishing photos in a public space in facebook is (or at least arguably in court) distribution.

  4. Re:Firefox isn't helping on Google's Obfuscated TCP · · Score: 1

    Except that that would not be correct!

    You are right. I realized this shortly after posting. Allow me to amend to:

    Browsers should treat self signed certs as 'unsigned' no different than plain http, but giving the user some unobtrusive option to inspect and add the certificate so that future connections to the same site will be 'trusted'.

    But the default behaviour of the browser is to do nothing special. No big green lock icons, no giant error messages.

  5. Re:Firefox isn't helping on Google's Obfuscated TCP · · Score: 1

    I know you're exaggerating, but didn't browsers do that for forms submitted via POST?

    I'm not really exaggerating; check out the error message FF3 throws up for a self-signed cert:

    http://centrim.mis.brighton.ac.uk/more/h/tutorial/sscert-freeman-ff3/resolveuid/e90db9262cef2ca16bd4d9d16a939fa3

    It really does say "Get me out of here!" and very nearly the other nonsense I suggested...

  6. Re:Firefox isn't helping on Google's Obfuscated TCP · · Score: 1

    Or are you suggesting a picture of some other object?

    Yes, but not a red exclamation point.. something neutral like a brown circle or an orange square. Something that they can click on it if they want, to get the information about the connection but that's it.

    Given that unless you've verified the cert, its as unsecure as http, it should look nothing like, nor even hint at being 'secure'.

    But I think the full screen warning message is sort of the natural conclusion of this line of reasoning, in that it requires attention.

    It requires much special attention as a plain http connection does - that is to say: none. Users shouldn't have to do anything special, in fact, if they aren't paying attention they'll treat it like a regular insecure http connection, which for all intents and purposes, it is.

    If they go to the trouble of manually verifying it, and then adding it, THEN and only then does it have any MEANING, and then on subsequent visits, they'll get the green and the lock, and the horrible warnings if the cert has changed and doesn't match.

    But the point is, the default behavior of the browser should be to treat it as nothing special.

  7. Re:Ignorance and laziness is helping even less on Google's Obfuscated TCP · · Score: 1

    The problem is, we've tried to train users to look for the "https" or the lock, or both. Getting rid of the lock for self-signed connections is fine, but the https is still there, and it's misleading. That's a fair comment actually.

  8. Re:Firefox isn't helping on Google's Obfuscated TCP · · Score: 1

    After thinking it over a little more, wouldn't eavesdropping in that situation be a pretty straightforward man-in-the-middle attack?

    Yes and no. Yes if it was the first time you'd connected to that server. But if the browser cached self-signed certs, it would be reasonable to flag that it had changed with a message. Self-signed certs also have the potential to be verfied "out of band".

    That aside, if I were to agree that self-signed certs offered no security whatsoever, then the browser should just ignore them and treat the the connection plain http (ie do nothing special), nothing more, nothing less.

  9. Re:So fucking wrong it isn't even funny. on Google's Obfuscated TCP · · Score: 1

    Ranking:
    1. Signed certificates are, in theory (but not in practice), safe.
    2. No certificate means your communication may be sniffed.
    3. Self-signed / Wrong URL certificates indicates that someone is a man-in-the-middle.

    This list is BS.

    Yes, there might be some cheapass on the other end. However, that is up to you to verify. If you out-of-band verify that, and manually add the certificate on your end, then the 3 would go up to a number 1 - after verifying the fingerprint. Until that, it's an indication that it's a man in the middle.

    Until that, its completely meaningless.

    The entire idea that self-signed certificates gives ANY security is insane! If someone is able to intercept the traffic and listen to it - they are most probably able to be a man in the middle. In other words - it provides absolutely no security what-so-ever !

    self-signed certs have the potential to be secure if they are verified out-of-band. otherwise they are really NO DIFFERENT to plain http.

    That you have been rated as 5 is completely nuts. You don't understand the security model, and neither does the moderators.

    No, what is completely nuts is treating "absolutely no security whatsoever" to use your words any differently than plain http, which also has absolutely no security whatsoever. Our browsers don't freak out when they encounter a site with no cert, why should they freak out when they encounter a cert that is meaningless?

    Given they BOTH offer absolutely no security they should treat self-signed certs the same as regular http... ie do nothing.

  10. Re:Not necessarily on New Bill To Rein In DHS Laptop Seizures · · Score: 0

    Not necessarily. Obama will create a government healthcare system, that has been a failed idea in Canada.

    Where did you hear that? FoxNews? Most Canadians would strongly disagree with you that its a 'failed idea'. An imperfect execution to be sure, but not a failed idea.

    Their healthcare systems are nationalized, but they suck!

    The American system sucks much worse. Its all relative. I'm not sure why anyone who actually knows what's going on in both systems would prefer the system you've got.

    It would also drive us deeper into debt, the last thing we need right now.

    Oh come now, you are ALREADY going into stupid amounts of debt for much less intelligent reasons. Seriously, if you draw the line at 'health care' you're priorities are pretty fucked up. Hell, you'd be better off cancelling the bailout and doing health care with that money instead.

  11. Re:Firefox isn't helping on Google's Obfuscated TCP · · Score: 1

    Self signed certs can not be authenticated. You use a self signed cert, I can intercept your traffic, use my own self signed cert that would appear to be exactly like yours, read your traffic, and pass it along to your server as if nothing happened and neither side will know the difference.

    plain http can not be authenticated. You use plain http, I can intercept your traffic, pass it along to your server as if nothing happened and neither side will know the difference.

    Where is the dire warning each time I connect via plain http?

    All the browser SHOULD do in the event of a self signed cert is ABSOLUTELY NOTHING SPECIAL. Its no worse than plain http. It may not be any better, but its absolutely not worse. I agree that we should not confuse users or mislead them into thinking their connection is MORE secure, but there is no reason to make them think their connection is LESS secure.

    To use a car analagy, the car door can be open, ajar, or securely locked. Ajar isn't secure, and we shouldn't mislead people into thinking it is, but for some reason we are treating ajar as dangerously worse than open.

    That's idiotic.

    Signed,
    Someone else with a clue about cryptography

  12. Re:Ignorance and laziness is helping even less on Google's Obfuscated TCP · · Score: 1

    No, I take that back. It's a lot more important. How many identity thieves rely on packet sniffers? And how many rely on phishing? The ratio must be something like a million to 1. And any phisher can create a "secure" web site.

    Using a self signed cert doesn't make it 'secure', so all the browser has to do is treat it the same as any of the MILLIONS of regular insecure sites around.

    "It might be convenient if there were a separate mechanism for sites that need to verify their identify, and sites that just want an encrypted connection so hackers can't sniff passwords. But there isn't."

    Yes, there is.... paid for root authority signed certs provide the former, self signed certs provide the latter. It would be trivial for the browser to treat the two DIFFERENT types of cert appropriately.

    The inconvenience isn't a big one, because setting up a certificate just isn't that hard. The only reason nobody does it it because of the useless mechanism (those little approval boxes all computer users are programmed to ignore) that makes the whole certificate mechanism a joke.

    The browsers is at fault. It should by default accept a self-signed cert transparently without any fuss. It SHOULDN'T show a big green lock. It should just be a regular connection. If the self-signed cert changes on a subsequent visit, THEN they should get a warning. That's it.

  13. Re:Your privacy was eroded for you on Give Up the Fight For Personal Privacy? · · Score: 1

    The right of publicity only applies to commercial exploitation.

    Facebook is commercial exploitation.

  14. Re:Firefox isn't helping on Google's Obfuscated TCP · · Score: 1

    Firefox is right about this. Most people rely on the little lock icon to "make sure this is really the bank's website".

    So don't show a lock, or make a big show out of self signed certs. Treat them the same as plain http. There is no reason to treat them as 'worse' than plain http. That's just absurd.

    If you think about it, it's probably the only way to be really really sure that the website you're visiting actually belongs to "Bank ABC". Warning the user about self-signed certificates prevents people from making keys such as "Citibank - NY" while looking legitimate.

    Not if the browser treats self-signed certs as identical in value to plain http.

    Or put another way, why not show errors for EVERY plain http site as well, telling users that the server hasn't been authenticated, there is no gaurantee it actually belongs to who you might think it belongs, and on top of all that, 3rd parties can trivially eavesdrop too.

    By your logic why exactly shouldn't we have THOSE errors?

  15. Re:Firefox isn't helping on Google's Obfuscated TCP · · Score: 2, Insightful

    What's difficult is if I'm technically capable of eavesdropping, I'm technically capable of MitM and thus a self-signed certificate doesn't add any extra security.

    So have the browser treat it as being unsigned. Don't do anything special. Don't put up a big green lock. Don't make a fuss. Even if its not really MORE secure, its certainly not LESS secure, so firefox at WORST should treat it exactly the same as plain http.

  16. Re:Firefox isn't helping on Google's Obfuscated TCP · · Score: 5, Insightful

    Most users are too dumb to check for SSL, good luck getting them to discern insecure, 'insecure but can't be eavesdropped', and secure.

    Fair enough. So don't put the secure green lock up for self signed SSL. Put up a totally different icon in some neutral color like blue. If they click on it it says, the connection is encrypted and can't be eavesdropped but there is no gaurantee you are talking to who you think you are.

    Hell, most users would be shocked to find out you can eavesdrop on their traffic in the first place.

    Good point! Maybe firefox 3 should pop up a huge error screen every time you try to connect to a site with plain http. It could say something like:

    The server you are connecting to is insecure. Maybe there is a configuration error on the server. Or maybe someone is trying to impersonate it. Oh, and by the way, not only that, but any communication with them maybe trivially intercepted by any 3rd party...

    Are you sure you want to communicate with them?

    Then it could have friendly buttons like:

    "Hell no get me out of here." or "Ok, I don't mind getting pnwed!"

  17. Re:Your privacy was eroded for you on Give Up the Fight For Personal Privacy? · · Score: 1

    Ok, so sign up under a pseudonym using a fake email address and no picture. I just don't see the problem with that?

    Because it strikes me as profoundly hypocritical to violate a EULA for the purpose of enforcing my IP rights. I agree its a pragmatic and effective solution, but I find it ethically unsatisfactory, and I would prefer a solution that is ethically sound.

    For the same reason, I am not satisfied with buying DRMed content that can be cracked. I shouldn't have to crack somehting I legally own to use. Same idea. Same sort of objections.

  18. Firefox isn't helping on Google's Obfuscated TCP · · Score: 4, Insightful

    Firefox isn't helping the lack of SSL on the web by throwing a ridiculous warning when using self signed certs. Browsers should treat self signed certs as 'unsigned with the added bonus that communications can't be eavesdropped' instead of freaking out that you might not know who you are talking too.

    self signed certs aren't appropriate for processing credit cards... but not every site that has forms needs that... and simply removing eavesdroppers would be a step in the right direction.

  19. Re:Your privacy was eroded for you on Give Up the Fight For Personal Privacy? · · Score: 1

    Can a friend put your picture on his geocities page?

    Technically, no. Assuming he took the picture then its his copyright, but he still needs a model release to publish identifiable photos.

    Can your friend put a picture of both of you with a label identifying you on his wall in his public office?

    Offices aren't generally 'public' places within the legal definition of 'public place'.
    But if it truly were a public place then he'd technically need a release.

    But the biggest difference between geocities and facebook is that I can see what my friend has put in his public space on geocities without signing up and agreeing to geocities terms of use. With facebook, I can't see what someone publishes without first becoming a EULA signing member.

  20. Re:Your privacy was eroded for you on Give Up the Fight For Personal Privacy? · · Score: 1

    If you don't have an account, the pictures others post and tag as you have as much weight as if someone snapped a picture of you in the grocery store (perfectly legal)

    so far so good.

    and attached your name to it (they saw it on your business card you dropped from your wallet in the check-out line)

    still good

    and uploaded it to a blog.

    Wait just a minute. A public blog? Without me having signed a model release for that image? Sorry to rain on your parade, but while they may own the image, they can't just go publish an 'identifiable photo' of me without my consent.

  21. Re:Your privacy was eroded for you on Give Up the Fight For Personal Privacy? · · Score: 2, Interesting

    You can control tags of you in your Facebook privacy settings.

    How does that work if you don't have a facebook account because you refuse to accept their terms of service?

  22. Re:Your privacy was eroded for you on Give Up the Fight For Personal Privacy? · · Score: 2, Informative

    I agree, the helpful details etc are annoying as anything. You can, however, UNTAG yourself from photos! If you care about privacy (as you clearly do, and I do as well), I would highly recommend untagging yourself.

    So, let me get this straight, I have to sign up to facebook in order to protect my privacy? Surely I'm not the only one that sees anything fucking wrong with that? If I'm not on facebook I shouldn't have to sign up to keep myself off.

    What's next?
    Will you have to put yourself on the no-fly list in order to find out if you are allowed to fly?
    Or perhaps you'll agree to provide SIN, drivers license, photos, address, and fingerprints to use anonymizing services like tor?
    Lets just be done with it and have a barcode tatooed on your forehead to enable you to purchase or sell goods...

  23. Re:80??? Not much of a limit. on Ford To Introduce Restrictive Car Keys For Parents · · Score: 1

    Uhhh, the examples you cite are about people doing 100 kilometers an hour and beyond,

    Of course I realize that; its trivially deducible from the fact that the examples I cited are about people doing in excess of 80mph, which is the limit being proposed.

    First example was 150km/h = 93.2mph
    Second was 140km/h = 87mph
    Third example: 100mph (duh!)

    I hope you aren't working on the next mars lander. ;)

  24. Re:80??? Not much of a limit. on Ford To Introduce Restrictive Car Keys For Parents · · Score: 1

    Nope. I'd just like know what this does at all to prevent anything.

    Clearly it prevents your kid from exceeding 80mph. That would eliminate a certain degree of street and highway racing...

    "An Ontario couple on their way home from celebrating their 17th wedding anniversary are the innocent victims of a street race between two young men, police say....Police say the two racing vehicles were travelling 150 km/h in the 80 km/h zone..."

    "Earlier this year, Toronto cab driver Tahir Khan was killed after two teens were allegedly street racing along Mount Pleasant Avenue, reaching speeds of up to 140 km/h in the 50 km/h zone."

    http://www.ctv.ca/servlet/ArticleNews/story/CTVNews/20060528/crash_fatal_060528/20060528?hub=CTVNewsAt11

    "Orlando Fla... FHP investigators said Eleazar Rodriguez Jr. was traveling more than 100 m.p.h. when he was cut off by the Eclipse.

    Investigators said the Eclipse apparently hit the Oldsmobile and sent it into oncoming traffic, where it clipped a truck. The people inside the truck said the Oldsmobile came right at them."

    http://www.wesh.com/news/14287006/detail.html?subid=10100244

    Sure the kids might still speed, and do 80mph. But as fast as 80mph is its a lot slower than 100mph and beyond. And it might have prevented the race from occurring all if the drivers knew the cars were speed-capped anyway.

    Its obviously not going to stop all accidents, but it might stop a few, and I don't think anyone can really make a coherent argument that limiting the kids to 80mph is ever going to be a credible threat to their lives. The potential liklihood for a "need" to do 100mph to escape a collapsing bridge in an earthquake notwithstanding. ;)

  25. Re:Oh just go away on Mono 2.0 and .NET On Linux · · Score: 3, Insightful

    If we wanted to run crappy Microsoft technologies, we'd just go buy Windows, wouldn't we?

    That must be why the WINE project is such a silly idea... oh wait...