No, I would have no qualms hurting/enslaving/experimenting on intelligent aliens.
I don't think most folks who have decided that non-human animals are okay to torture for human benefit would go this far. You seem to me to be outstanding in your xenophobia.
But maybe you're just coming at it from what you think of as a practical angle, knowledge gained to cope with a possible threat (albeit at the cost of offense to an other).
I'd argue that the expectation of malice, so great that it pushes most sentient entities away from you into the conceptual category of "other", so compelling that it drives you to inflict pain on others in pre-emptive self-defense, is itself the root of evil.
In the crucible of recognition, Of just who we are, Foolish jewelry burns away. We are they.
I say sentience is fundamental, and it's on sentience that I base my conception of "self" (as in "self v. other"). Substrate for the sentience is not a primary determinant, nor is mere flavor of substrate. You could be an animal or a silicon-based computer AI and I would value your sentience. Quibbling over whether a chimp or a human is deserving of care is, to my mind, getting lost in the weeds.
Researchers at the security firm Accuvant released a study Friday that gauges the security features of the top three web browsers. Accuvant admits the study was funded by Google, and naturally, Chrome came out on top.
"Chrome came out on top" is the link to a blog article? What about
Researchers at the security firm Accuvant released a study Friday that gauges the security features of the top three web browsers. Accuvant admits the study was funded by Google, and naturally, Chrome came out on top. (Forbes reviews the study.)
The text of the link indicates the thing being linked to.
And, Soulskill:
The full research document is available here (PDF), and it goes into much greater detail than the Forbes article. Accuvant also published the tools and data they used in the study, which should help to evaluate their objectivity.
Not so bad. Could be a wee better, but I won't harp on the matter.
Anyway, less deciphering of what links mean lets us have a more enjoyable news reading experience.
"But what's really scary, is that the evidence F-Secure found suggests that DigiNotar was hacked at least two years ago."
I don't agree that having one's ass hanging in the wind — thinking your SSL connections are secure while they're not — for two years is a system that "works".
It's astonishing in the current landscape where most everyone appears to be concerned and casting about for solutions to see someone thinking the CA system is fine. The foundation of the CA system involves giving each of hundreds of race-to-the-bottom entities complete authority over your SSL security. Even if "race-to-the-bottom" weren't their nature, you'd still have a bell curve of performance, and the tail on the left side is your maximal security. (You are here.) The system is inherently flawed.
Diversity ensures that we don't drive into a dead end, and Mozilla paved the way for alternative browsers, pushing websites away from IE-only design, and making the new technologies we have today possible
Exactly. Their main objective at the outset was to "take back the web". The shape of this graph, where it comes back from monopoly around 2004, is because of Firefox. We all have good reason to be thankful.
Microsoft's stranglehold on the market let them define the standards including not make any progress for 5 damned years. Stuck with cross-browser incompatibilities, stuck without technological progress or many of the features we take for granted these days, stuck with a browser that got everyone's system hacked and ate up countless geek hours with reinstalls. Man, what a nightmare.
And it wasn't just Microsoft's fault. It was also the fault of the users who did not opt for a heterogeneous browser ecosystem. Granted, it's a lot to ask the average person to defend a "heterogeneous browser ecosystem", but at least the geeks (and epidemiologists) should get it. And if you don't, let me spell it out for you: Don't push us towards browser monoculture. Not again, please. That sucked.
There's truth in this except for your use of "hype real" which is incorrect.
There's little on television that's not some overblown version of reality, including stuff called "reality television". If it's not hyper-real, what is it? Would you call what you see on TV just "real"?
I refer to this as "burning your eyes out" on impossibly great beauty. Sadly, it raises our overall dissatisfaction.
It's a similar kind of desensitization to what you get more generally from absorbing years of hyper-real broadcast media. TV = mind candy. Most folks = mentally prediabetic.
any other response - including nothing - will only prove beyond a shadow of a doubt
Rhetorical traps like that don't really bolster arguments for most people, so you know. And, in case you thought your trap was true, it's not.
But, anyway, while it's possible to frame just about anything in both negative and positive forms, his qualification may have been trying to convey a meaningful constraint though he failed to articulate it. I leave it to more intelligent proponents to express it.
For the case of most worms and other such automated attacks, moving your service from its default port is actual defense.
I can imagine worms that port scan looking for service signatures, but I haven't heard that that's common. Anyway, scanning lots of ports per machine would greatly slow a worm down or make an automated attack more obvious (showing up in more service logs).
Building on top of DNSSEC leaves you maximally as secure as DNSSEC itself. The IETF document you reference in your paper, "Threat Analysis of the Domain Name System", lists among several weaknesses:
Like DNS itself, DNSSEC's trust model is almost totally hierarchical. While DNSSEC does allow resolvers to have special additional knowledge of public keys beyond those for the root, in the general case the root key is the one that matters. Thus any compromise in any of the zones between the root and a particular target name can damage DNSSEC's ability to protect the integrity of data owned by that target name. This is not a change, since insecure DNS has the same model.
Maybe that's one way deadpan delivery augments humor. The other would be to make the emotional expression of the speaker contradictory to their beliefs (thus creating the gap referred to in the article).
Well enlightened people might not have many gaps in their reflexive understanding, so by the thesis of this article they would tend to experience fewer false inferences.
Some of the "substrate" of jokes are offensive but only educated/experienced audiences would know. Jokes in the context of the Holocaust v. Holocaust survivors. I find this happens more often for me as I grow older and more informed. Jokes about people suffering aren't so abstract anymore, after having seen or experienced much suffering.
Oh, interestingly, the counterpart correlate here is that the younger you are the more things are amusing. Down to things like peek-a-boo.
You allow for some hard-core religious folk to have a sense of humor by saying just that it's less probable they will the more religious they are, which is smart hedging. The Dalai Llama seems to be regularly amused.
How insecure would you say the current CA model is? Looking at the fundamentals (logical OR of 600 CAs v. bell curve of their performance) I feel like it's "well and truly fucked".
How relatively secure would you say the Convergence system (as a concept) is? (Or if you want to address the actual implementation's relative security, please do.)
I don't expect this list to make it as one of the high-rated questions; I'm just offering it as food for thought and in the off chance that Mr. Marlinspike would find interest in addressing any of its ideas.
Automatic Vetting of Notaries What if the software monitored performance of notaries over time (checking concordance, availability, misbehavior of whatever sort, etc.) and internally rated the notaries, even disabling (and perhaps reporting) badly behaving ones?
Redundancy What about a configuration option that makes a plug-in fallback to using the existing CA system (perhaps with warning) when insufficient notaries are available?
Names Is Convergence a plug-in or a protocol or a system or any/all of these? If the system and protocol prove viable and a different plug-in is created by others, should they say they use the "Convergence system and protocol"?
Inherently Distributed What about the option for the plug-in to double as a notary itself, vaguely resembling a Bittorrent-like distribution of client/server responsibility? Maybe have plug-ins report their sites pseudonymously to central repositories? (I imagine such pseudonymy would be very fragile.)
Current CA System Reform — Multiple Signatures I'm guessing by your seeming politics that reform may not be considered as workable as wholesale change, but... Do you think allowing multiple signatures on SSL certs would enhance trust agility in any practical way (perhaps by allowing easier delisting of previously too-big-too-fail CAs)?
Signatures In A Notary-Based Landscape What about the idea of allowing signatures from (multiple) notaries to be imported into a site's certificate? Thus the user's software may not need to perform the notary queries (increasing resource consumption and (theoretically) information leakage) if the certificate is already signed by user-trusted notaries. (Could this encourage consolidation into a system virtually the same as the current CA model?) (Could this be used in profiling a user's trust relationship to notaries?)
Relation To Perspectives What is your system's relation to Perspectives. Was their work seminal?
Do you see the matter of how users come to trust the notaries themselves as a concern? What methods do you see for assuring users that a list of notaries is in fact recommended by a given party? I see notaries distributed with the Convergence plug-in (is the distribution signed?), but doubtlessly that's not meant as a steady-state solution as it does not promote trust agility.
Have you considered notary list configuration based on "subscriptions" a là AdBlock lists. For example, if the EFF periodically published a signed "EFF Trusted Notaries" list, as one of a number of organizations doing so?
And how much is a working web of trust required for this? Do you feel there is one?
Sure USB is the answer (or there may even be other media options), but the question is how?
Thanks, AC, for the a detailed answer, but even the Windows USB/DVD Download Tool requires an ISO. This netbook came pre-installed. There is no disc, no ISO. And I would rather not buy an ISO of Windows 7 when I already own the OS.
But thanks for the link to the WU/DDT, I'll see if I can leverage that somehow, and I'll keep looking for either a free ISO or a way to use the existing installation's files.
Slashdot Mirror
Where ambiguity lies, we insert our biases.
I don't think most folks who have decided that non-human animals are okay to torture for human benefit would go this far. You seem to me to be outstanding in your xenophobia.
But maybe you're just coming at it from what you think of as a practical angle, knowledge gained to cope with a possible threat (albeit at the cost of offense to an other).
I'd argue that the expectation of malice, so great that it pushes most sentient entities away from you into the conceptual category of "other", so compelling that it drives you to inflict pain on others in pre-emptive self-defense, is itself the root of evil.
I say sentience is fundamental, and it's on sentience that I base my conception of "self" (as in "self v. other"). Substrate for the sentience is not a primary determinant, nor is mere flavor of substrate. You could be an animal or a silicon-based computer AI and I would value your sentience. Quibbling over whether a chimp or a human is deserving of care is, to my mind, getting lost in the weeds.
I don't think pettiness is an unalterable trait.
Isn't misbehavior best discouraged?
Hypocrisy is commonly abhorrent?
Note "the 10" is a Southern Californiaism. (And "the 10" is not redundant.)
In Northern California I more frequently hear references to "85" or "280".
Either works fine.
Could we link better?
"Chrome came out on top" is the link to a blog article? What about
The text of the link indicates the thing being linked to.
And, Soulskill:
Not so bad. Could be a wee better, but I won't harp on the matter.
Anyway, less deciphering of what links mean lets us have a more enjoyable news reading experience.
"But what's really scary, is that the evidence F-Secure found suggests that DigiNotar was hacked at least two years ago."
I don't agree that having one's ass hanging in the wind — thinking your SSL connections are secure while they're not — for two years is a system that "works".
It's astonishing in the current landscape where most everyone appears to be concerned and casting about for solutions to see someone thinking the CA system is fine. The foundation of the CA system involves giving each of hundreds of race-to-the-bottom entities complete authority over your SSL security. Even if "race-to-the-bottom" weren't their nature, you'd still have a bell curve of performance, and the tail on the left side is your maximal security. (You are here.) The system is inherently flawed.
Sumatra PDF has had a browser plug-in available for about 9 months.
Email is extremely convenient for file transfer, but I prefer not to have my mail store so bloated.
What happens when my friends want to start emailing me movies?
I haven't figured out the true nature / fundamentals involved here.
Oh, sorry, here's the graph.
The sound that accompanies it as it starts plummeting in 2008 is "aaaaah".
Exactly. Their main objective at the outset was to "take back the web". The shape of this graph, where it comes back from monopoly around 2004, is because of Firefox. We all have good reason to be thankful.
Microsoft's stranglehold on the market let them define the standards including not make any progress for 5 damned years. Stuck with cross-browser incompatibilities, stuck without technological progress or many of the features we take for granted these days, stuck with a browser that got everyone's system hacked and ate up countless geek hours with reinstalls. Man, what a nightmare.
And it wasn't just Microsoft's fault. It was also the fault of the users who did not opt for a heterogeneous browser ecosystem. Granted, it's a lot to ask the average person to defend a "heterogeneous browser ecosystem", but at least the geeks (and epidemiologists) should get it. And if you don't, let me spell it out for you: Don't push us towards browser monoculture . Not again, please. That sucked.
There's little on television that's not some overblown version of reality, including stuff called "reality television". If it's not hyper-real, what is it? Would you call what you see on TV just "real"?
I refer to this as "burning your eyes out" on impossibly great beauty. Sadly, it raises our overall dissatisfaction.
It's a similar kind of desensitization to what you get more generally from absorbing years of hyper-real broadcast media. TV = mind candy. Most folks = mentally prediabetic.
Should you sort your waste?
Should you not leave your waste unsorted?
Rhetorical traps like that don't really bolster arguments for most people, so you know. And, in case you thought your trap was true, it's not.
But, anyway, while it's possible to frame just about anything in both negative and positive forms, his qualification may have been trying to convey a meaningful constraint though he failed to articulate it. I leave it to more intelligent proponents to express it.
For the case of most worms and other such automated attacks, moving your service from its default port is actual defense.
I can imagine worms that port scan looking for service signatures, but I haven't heard that that's common. Anyway, scanning lots of ports per machine would greatly slow a worm down or make an automated attack more obvious (showing up in more service logs).
Have any of you edited your CA list to remove bad CAs?
With DNSSEC, you won't be able to remove any authorities.
This is not an improvement.
Building on top of DNSSEC leaves you maximally as secure as DNSSEC itself. The IETF document you reference in your paper, "Threat Analysis of the Domain Name System", lists among several weaknesses:
In any SSL+DNSSEC paradigm you are trusting:
Which is very concerning, is it not?
What about ICANN's not-legally-authorized seizure of domains? What about Verisign's domain slamming or DNS hijacking (breaking NXDOMAIN) or their own domain seizures? What about how registrars are often as sketchy as CAs and not as vetted?
Please can we move away from DNSSEC or any other overly centralized and rigid (i.e. choiceless) system as a foundation for our security?
Maybe that's one way deadpan delivery augments humor. The other would be to make the emotional expression of the speaker contradictory to their beliefs (thus creating the gap referred to in the article).
Some other possibilities:
Well enlightened people might not have many gaps in their reflexive understanding, so by the thesis of this article they would tend to experience fewer false inferences.
Some of the "substrate" of jokes are offensive but only educated/experienced audiences would know. Jokes in the context of the Holocaust v. Holocaust survivors. I find this happens more often for me as I grow older and more informed. Jokes about people suffering aren't so abstract anymore, after having seen or experienced much suffering.
Oh, interestingly, the counterpart correlate here is that the younger you are the more things are amusing. Down to things like peek-a-boo.
You allow for some hard-core religious folk to have a sense of humor by saying just that it's less probable they will the more religious they are, which is smart hedging. The Dalai Llama seems to be regularly amused.
But, anyway, I think your idea has merit.
Interesting idea, but I think mistaken. That there would always be a loser and a dominance struggle suggests one cannot be amused by one's self.
How insecure would you say the current CA model is? Looking at the fundamentals (logical OR of 600 CAs v. bell curve of their performance) I feel like it's "well and truly fucked".
How relatively secure would you say the Convergence system (as a concept) is? (Or if you want to address the actual implementation's relative security, please do.)
I don't expect this list to make it as one of the high-rated questions; I'm just offering it as food for thought and in the off chance that Mr. Marlinspike would find interest in addressing any of its ideas.
Automatic Vetting of Notaries
What if the software monitored performance of notaries over time (checking concordance, availability, misbehavior of whatever sort, etc.) and internally rated the notaries, even disabling (and perhaps reporting) badly behaving ones?
Redundancy
What about a configuration option that makes a plug-in fallback to using the existing CA system (perhaps with warning) when insufficient notaries are available?
Names
Is Convergence a plug-in or a protocol or a system or any/all of these? If the system and protocol prove viable and a different plug-in is created by others, should they say they use the "Convergence system and protocol"?
Inherently Distributed
What about the option for the plug-in to double as a notary itself, vaguely resembling a Bittorrent-like distribution of client/server responsibility? Maybe have plug-ins report their sites pseudonymously to central repositories? (I imagine such pseudonymy would be very fragile.)
Current CA System Reform — Multiple Signatures
I'm guessing by your seeming politics that reform may not be considered as workable as wholesale change, but... Do you think allowing multiple signatures on SSL certs would enhance trust agility in any practical way (perhaps by allowing easier delisting of previously too-big-too-fail CAs)?
Signatures In A Notary-Based Landscape
What about the idea of allowing signatures from (multiple) notaries to be imported into a site's certificate? Thus the user's software may not need to perform the notary queries (increasing resource consumption and (theoretically) information leakage) if the certificate is already signed by user-trusted notaries. (Could this encourage consolidation into a system virtually the same as the current CA model?) (Could this be used in profiling a user's trust relationship to notaries?)
Relation To Perspectives
What is your system's relation to Perspectives. Was their work seminal?
Do you see the matter of how users come to trust the notaries themselves as a concern? What methods do you see for assuring users that a list of notaries is in fact recommended by a given party? I see notaries distributed with the Convergence plug-in (is the distribution signed?), but doubtlessly that's not meant as a steady-state solution as it does not promote trust agility.
Have you considered notary list configuration based on "subscriptions" a là AdBlock lists. For example, if the EFF periodically published a signed "EFF Trusted Notaries" list, as one of a number of organizations doing so?
And how much is a working web of trust required for this? Do you feel there is one?
Thanks, that's good information!
Sure USB is the answer (or there may even be other media options), but the question is how?
Thanks, AC, for the a detailed answer, but even the Windows USB/DVD Download Tool requires an ISO. This netbook came pre-installed. There is no disc, no ISO. And I would rather not buy an ISO of Windows 7 when I already own the OS.
But thanks for the link to the WU/DDT, I'll see if I can leverage that somehow, and I'll keep looking for either a free ISO or a way to use the existing installation's files.