why is Mozilla.org is allowing a mode where any Tom Dick or Harry can drop in a bunch of files in the install directory and suddenly all the users get the extension on by default? I wish Firefox will just disallow such a way of installing extensions.
I wish I had a pony. Mozilla can't prevent what the OS or other programs do with Firefox on your PC. Also, allowing a mode where a sysadmin can drop in a bunch of files in the install directory and suddenly all the users get the extension is a *good* thing for enterprise... usually.
If Microsoft were to "block" Firefox from running due a security vulnerability
If Mozilla started installing Firefox onto my machine in a security update for Thunderbird (and prevented its uninstall), I'd welcome such a block, no matter how good Firefox is. I don't care if.NET Assistant will pick up my dry cleaning; I want it perma-blocked.
Now I'll admit that there are only a few posts above mine, but already they are generally negative. Which I don't get.
Isn't this a good thing?
Microsoft releases a couple of Firefox plug-ins.
A security vulnerability was discovered in the plug-ins.
Mozilla disables the plug-ins.
Microsoft and Mozilla has a talk about the the vulnerability and it appears that one of the plug-ins aren't vulnerable.
The plug-in is re-enabled.
As far as I can tell, this is the system working properly.
I bolded two things I don't agree with. You skipped an important statement: Microsoft forcibly installed said plug-in, and prevented its removal.
'The rate for a 30-year mortgage is around 5%,' Lee said. 'Why should anyone have to pay 8.5%? The government has bailed out homeowners. It's bailed out big businesses. Why can't it also help students?'
Angry? You just got a "free" education, dummy. Sure, you have to pay the money back, but you didn't have to work and go to school intermittently for 10+ years hoping that you can finish your first degree before your credits are too old to apply. Your 401k/403b/457b/whatever will also have a 5-6 year head start, which will be amazing. College students from every previous generation have had a reputation for being poor. The subject of this post is a joke from a while back. Same as "Can you spare a dime? Working my way through med school."
We should use "Atomic"; ie "Atomic Fusion". Although very 40's-50's-ish, at least it has less fear factor since "Atomic anything" was good back then. When radiation and nuclear war became the bogeyman, "Nuclear" was the bad word.
Wheres the outrage from the users who always have a huge bitch when other "more evil" companies disable something on your system automaticall?
I'll show you where it is: Open up your Firefox browser, surf to "about:config" and search for blocklist. There ya go. Oh wait, that's the place that allows you to turn off or fine tune Mozilla's blocklist.
For the first time in over 15 years you now have a chance to actually crack open a Black Lotus from a $4 pack of MtG cards. Winning the lottery is more likely, but it is still possible.
There are lots of programs that install plugins automagically...Skype, antiviruses, and Picasa are a few that I can think of off the top of my head. The only bad part of this whole thing is that MS screwed up the remove/uninstall feature by making it show up for all users.
No. This was an auto-install of a new plugin during an auto-update for.NET framework. It's like a car shop installing a GPS device in your car unasked when you go in for a routine oil-change. Maybe you want to use it, maybe you don't. Maybe they shouldn't have drilled holes in your dashboard and riveted it in place. Oh, and it seems to make your car a target for smash 'n grab thieves...
It is just you. The story you linked to was about the "fix" that allows removal of the sneaky add-on. This story is about the fact that the sneaky add-on just had a verified security flaw.
$100 to the first person to post the fully draft here or on wikileaks. Seriously we can leak SpiderMan movies, crack supposedly uncrackable digital encryption schemes and share giant files, but nobody is willing to post perhaps 60kb of text? IANAL but, Considering the type of legislation, leaking this sort of thing isn't likely to follow with litigation against the mole.
It's not litigation we're worried about. Governments that try to do the people's normal business secretly are more likely to do abnormal business (silencing dissent) secretly too. $100 is not enough reward to gamble ruination for.
What was the Safe Word, Toyota? If she really opted in, there was one. I bet you they'll say next that when she said "no", she really meant "yes", so it was consensual.
Those backward Finns. They don't realize that this makes them less free. I suppose they have health care for everyone over there and think it's a good thing. I bet people get free education through college in Finland, too. What a shame.
They also have mandatory military service for all citizens, and you have to pay money for public toilet use.
The Slashdot headline "restore" is wrong. England and Wales [wikipedia.org] have never had freedom of speech. It cannot be "restored", it was never there.
Indeed. Any judge is still allowed to prevent the media from reporting on Parliament. (Trafigura's lawyers dropped the gag request). There is still no freedom.
I could be running the next whatsmyipaddress.com or something similar (don't laugh, but I know a "sysadmin" for whom such a site is a valued diagnostic tool; when I talked him through typing ipconfig on the command line, he typed "ip config"), or a random character generator, or I might want a 1994 era hit-counter on the bottom of my page. I can think of a lot of things that are dynamic that don't require authenticated users.
Would you vote C for shut down the site even if it were your own site?
If it was my own site (and I was the only one accessing it), I could verify the cert manually, and I'd go my merry way. If it was my own site, and other people were expected to authenticate to it, or were supposed to trust the cert to trust that the information on the site came from me, I'd sure as hell vote for C. I'd rather not contribute to the misconception that self-signed certs are completely safe and should just be accepted, and since only my friends would be calling me to verify the cert (and even they would get annoying about it), then I'd rather have no https. With no https, there's no chance I'd have a login field.
For people who do not want to take down their sites, how would you recommend that they justify to their superiors the doubling in web hosting prices that come with SSL?
If IE and firefox started "shutting down" the sites by following the OP's example, then they'd justify it by saying "Double cost or no site. Have site or no business/org/forum. Ergo, Double cost or no business/org/forum."
Moreover... poking on Facebook only actually works if the person has added you as their friend.
If you went to court to get a no-contact order against someone else, why the heck would you add or keep them as your friend on facebook?
Everything status update, every message you post shows up as a communication to all your friends... so you're actually initiating contact with them!
And when did she poke the recipient? A poke is seen "The next time user logs in". Possible timeline:
Poker befriends Pokee on facebook.
Both logoff.
Poker logs on.
Poker pokes Pokee
Poker logs off
Poker does evil thing to Pokee
Pokee gets restraining order
Pokee logs in to Facebook much later. "OMG! I was Poked! Call the Cops!"
Given the following choices for a site that doesn't take credit cards:
A. Use a self-signed certificate for the password form
B. Do not use encryption on the password form
C. Take the site off the Web entirely
Which would you choose?
I vote "C". "A" gives a false sense of security unless you can contact the site owner off channel and verify the cert manually. "B" is beyond worthless. Password transactions should be encrypted and only sent to verifiable recipients.
Anyway, is there a possibility for websites to give you a secure line to them, without depending on a third party?
If you take your computer to their server farm and plug directly into their webserver. Or maybe if they pay Mozilla, Microsoft, et al to put their self-signed certs in the browsers. The networks in between will always be an untrusted third party.
People don't like (potential) failures that are out of their control. According to statistics, my data on my personal HDD or phone is more likely to fail than data on an average "cloud" storage array, but I can keep my HDDs and phone from harm and monitor and test backups. Same idea with automobiles versus airplanes: cars are supposedly more dangerous, but we're each our own pilot. Airplane crashes are scary partly because of the size, but also because in an emergency, we know there's nothing we can do.
Because people are going to ask:
Q: And what about self-signed where you can verify the cert's sig? Some applications only require half-arsed.
A: There obviously needs to be a workaround; either manual typing or pre-load it or your corporate CA's cert into company intranet browsers. Do something that _forces_ comparison of the sigs, not click click click (click click click click click click for FF3).
How can a fictional ad jar you from immersion in a fictional setting more then a real ad, trying to get you to buy a real product in a fictional setting?
Because from nearly four decades of practice, I've learned to ignore ads for products I recognize. This is why some companies constantly change their logos or packaging.
why is Mozilla.org is allowing a mode where any Tom Dick or Harry can drop in a bunch of files in the install directory and suddenly all the users get the extension on by default? I wish Firefox will just disallow such a way of installing extensions.
I wish I had a pony. Mozilla can't prevent what the OS or other programs do with Firefox on your PC. Also, allowing a mode where a sysadmin can drop in a bunch of files in the install directory and suddenly all the users get the extension is a *good* thing for enterprise... usually.
If Microsoft were to "block" Firefox from running due a security vulnerability
If Mozilla started installing Firefox onto my machine in a security update for Thunderbird (and prevented its uninstall), I'd welcome such a block, no matter how good Firefox is. I don't care if .NET Assistant will pick up my dry cleaning; I want it perma-blocked.
Now I'll admit that there are only a few posts above mine, but already they are generally negative. Which I don't get. Isn't this a good thing?
Microsoft releases a couple of Firefox plug-ins.
A security vulnerability was discovered in the plug-ins.
Mozilla disables the plug-ins.
Microsoft and Mozilla has a talk about the the vulnerability and it appears that one of the plug-ins aren't vulnerable.
The plug-in is re-enabled.
As far as I can tell, this is the system working properly.
I bolded two things I don't agree with. You skipped an important statement: Microsoft forcibly installed said plug-in, and prevented its removal.
'The rate for a 30-year mortgage is around 5%,' Lee said. 'Why should anyone have to pay 8.5%? The government has bailed out homeowners. It's bailed out big businesses. Why can't it also help students?'
Angry? You just got a "free" education, dummy. Sure, you have to pay the money back, but you didn't have to work and go to school intermittently for 10+ years hoping that you can finish your first degree before your credits are too old to apply. Your 401k/403b/457b/whatever will also have a 5-6 year head start, which will be amazing. College students from every previous generation have had a reputation for being poor. The subject of this post is a joke from a while back. Same as "Can you spare a dime? Working my way through med school."
We should use "Atomic"; ie "Atomic Fusion". Although very 40's-50's-ish, at least it has less fear factor since "Atomic anything" was good back then. When radiation and nuclear war became the bogeyman, "Nuclear" was the bad word.
Wow, some mod has no sense of humor. Well, I laughed, anyway XD
I've noticed a lot of funny posts getting Offtopic moderations lately. I'm guessing that a new NLP AI has been given mod points.
Wheres the outrage from the users who always have a huge bitch when other "more evil" companies disable something on your system automaticall?
I'll show you where it is: Open up your Firefox browser, surf to "about:config" and search for blocklist. There ya go. Oh wait, that's the place that allows you to turn off or fine tune Mozilla's blocklist.
For the first time in over 15 years you now have a chance to actually crack open a Black Lotus from a $4 pack of MtG cards. Winning the lottery is more likely, but it is still possible.
And buying it outright will still be cheaper.
There are lots of programs that install plugins automagically...Skype, antiviruses, and Picasa are a few that I can think of off the top of my head. The only bad part of this whole thing is that MS screwed up the remove/uninstall feature by making it show up for all users.
No. This was an auto-install of a new plugin during an auto-update for .NET framework. It's like a car shop installing a GPS device in your car unasked when you go in for a routine oil-change. Maybe you want to use it, maybe you don't. Maybe they shouldn't have drilled holes in your dashboard and riveted it in place. Oh, and it seems to make your car a target for smash 'n grab thieves...
Is it just me, or were we just talking about this
It is just you. The story you linked to was about the "fix" that allows removal of the sneaky add-on. This story is about the fact that the sneaky add-on just had a verified security flaw.
$100 to the first person to post the fully draft here or on wikileaks. Seriously we can leak SpiderMan movies, crack supposedly uncrackable digital encryption schemes and share giant files, but nobody is willing to post perhaps 60kb of text? IANAL but, Considering the type of legislation, leaking this sort of thing isn't likely to follow with litigation against the mole.
It's not litigation we're worried about. Governments that try to do the people's normal business secretly are more likely to do abnormal business (silencing dissent) secretly too. $100 is not enough reward to gamble ruination for.
What was the Safe Word, Toyota? If she really opted in, there was one. I bet you they'll say next that when she said "no", she really meant "yes", so it was consensual.
Those backward Finns. They don't realize that this makes them less free. I suppose they have health care for everyone over there and think it's a good thing. I bet people get free education through college in Finland, too. What a shame.
They also have mandatory military service for all citizens, and you have to pay money for public toilet use.
The Slashdot headline "restore" is wrong. England and Wales [wikipedia.org] have never had freedom of speech. It cannot be "restored", it was never there.
Indeed. Any judge is still allowed to prevent the media from reporting on Parliament. (Trafigura's lawyers dropped the gag request). There is still no freedom.
I could be running the next whatsmyipaddress.com or something similar (don't laugh, but I know a "sysadmin" for whom such a site is a valued diagnostic tool; when I talked him through typing ipconfig on the command line, he typed "ip config"), or a random character generator, or I might want a 1994 era hit-counter on the bottom of my page. I can think of a lot of things that are dynamic that don't require authenticated users.
Then why do web hosting companies even offer plans with PHP and no HTTPS?
Because not everyone uses PHP for content that needs to be authenticated.
Tired of the WoW grind? Hop into a Harvester and start gathering Tiberium for a living!
Would you vote C for shut down the site even if it were your own site?
If it was my own site (and I was the only one accessing it), I could verify the cert manually, and I'd go my merry way. If it was my own site, and other people were expected to authenticate to it, or were supposed to trust the cert to trust that the information on the site came from me, I'd sure as hell vote for C. I'd rather not contribute to the misconception that self-signed certs are completely safe and should just be accepted, and since only my friends would be calling me to verify the cert (and even they would get annoying about it), then I'd rather have no https. With no https, there's no chance I'd have a login field.
For people who do not want to take down their sites, how would you recommend that they justify to their superiors the doubling in web hosting prices that come with SSL?
If IE and firefox started "shutting down" the sites by following the OP's example, then they'd justify it by saying "Double cost or no site. Have site or no business/org/forum. Ergo, Double cost or no business/org/forum."
Moreover... poking on Facebook only actually works if the person has added you as their friend. If you went to court to get a no-contact order against someone else, why the heck would you add or keep them as your friend on facebook? Everything status update, every message you post shows up as a communication to all your friends... so you're actually initiating contact with them!
And when did she poke the recipient? A poke is seen "The next time user logs in". Possible timeline:
Poker befriends Pokee on facebook.
Both logoff.
Poker logs on.
Poker pokes Pokee
Poker logs off
Poker does evil thing to Pokee
Pokee gets restraining order
Pokee logs in to Facebook much later. "OMG! I was Poked! Call the Cops!"
Given the following choices for a site that doesn't take credit cards:
Which would you choose?
I vote "C". "A" gives a false sense of security unless you can contact the site owner off channel and verify the cert manually. "B" is beyond worthless. Password transactions should be encrypted and only sent to verifiable recipients.
Anyway, is there a possibility for websites to give you a secure line to them, without depending on a third party?
If you take your computer to their server farm and plug directly into their webserver. Or maybe if they pay Mozilla, Microsoft, et al to put their self-signed certs in the browsers. The networks in between will always be an untrusted third party.
People don't like (potential) failures that are out of their control. According to statistics, my data on my personal HDD or phone is more likely to fail than data on an average "cloud" storage array, but I can keep my HDDs and phone from harm and monitor and test backups. Same idea with automobiles versus airplanes: cars are supposedly more dangerous, but we're each our own pilot. Airplane crashes are scary partly because of the size, but also because in an emergency, we know there's nothing we can do.
Because people are going to ask:
Q: And what about self-signed where you can verify the cert's sig? Some applications only require half-arsed.
A: There obviously needs to be a workaround; either manual typing or pre-load it or your corporate CA's cert into company intranet browsers. Do something that _forces_ comparison of the sigs, not click click click (click click click click click click for FF3).
While you're guessing with such precision, why not choose 42% and grab more nerd eyes?
How can a fictional ad jar you from immersion in a fictional setting more then a real ad, trying to get you to buy a real product in a fictional setting?
Because from nearly four decades of practice, I've learned to ignore ads for products I recognize. This is why some companies constantly change their logos or packaging.