IMHO, Yearly releases would be ok, if it means they're actually stable. Above all, please keep developers working on fixing problems AFTER the release, or keep it longer in RC if necessary. Above all, don't uphold freezes, if it renders related components unusable or severely broken.

One of my personal examples was the QBzr package in Jaunty. The Bzr-package were upgraded since the previous release, but the QBzr package wasn't, leaving it at a broken API. When I noticed it, the freeze were already in place, and the end-result was that QBzr were mostly unusable during Jaunty. (Better having unusable packages than making an exception)

http://www.youtube.com/user/GoogleTechTalks#p/search/0/SSYXw87BWXo Look especially 08:32 and a few minutes onwards.

For the impatient: Privacy International reflects on the point that these dictatorship-friendly features aren't originally ordered by dictators. From the beginning it was demanded by western governments, and once available, not explicitly disabled to the next customer. (In this case, Iran)

Q: Why does a dog lick his balls?
A: Because they can

They need no reason other than that. Fix the legal system and they'd have to shape up, but as long as RIAA/MPAA is allowed to heavily influence the WTO, I think they'll prefer to adapt the legal systems rather than their business models.

In the free market, the customer-base with the most money usually rule. Technological developments are usually targeted and priced for the wealthy, simply because there aren't much money in poor people.

Only after saturating the upper- and middle-class markets, there might be leftover-scrapes for the lower-class, either by lowering the price closer to manufacturing costs, or simply through resale of used devices. At that point though, the upper- and middle-classes are on the next cool thing, while the lower-class is left with 5-years-old technology.

The reality is sad.

I wonder if there might, in addition to other contributing factors mentioned here, be a difference in user-segmentation and corresponding expectations.

I often see non-tech users searching for things like "facebook" in a search-engine instead of typing it in the location-bar, of course with great success. My prejudice tells me Bing might have a much larger share of those easy searches than other engines.

Hmm. Isn't it possible to create a Web-of-trust system requiring a certain amount of independent validations of a certain peer?

Could you please elaborate on this?

I'm no expert on the subject, but intuitively it seems like a system where the trust of X is calculated as some kind of aggregation (simple sum?) of the product of all trust-factors, in all the lines between you and X (how much you trust your closest friend, how much he/she trusts the next friend in the chain and so on), including negative trust (banning) could work fairly well?

"apt-get install mysql-server". done.

Not to diss Apple/MacOSX, or the valid uses of it. But rather than trying to stretch it's use to things Apple didn't intend/support, there are often better alternatives.

Unfortunately, I'm afraid the hammer just bounced back. :/

Hurd is taking over it's space.

I wish more people would come to this conclusion, especially those targeted by the attacks.

However, I'm afraid they're just moaning and complaining of the poor morality of computer criminals. The idea that there may be better and worse ways to run IT systems aren't likely to get through to them nomatter what happens.

Noop. But I can ensure that when I DO important errands like banking, that the amount and target account is correct and not tampered with.

For example, my bank now are expecitng me to use a manual crypto-device and are taking good care to explain that a login-signature should always start with a 9, confirming sum transfered should always be confirmed by signing the amount to transfer (which may not be an 8-digit number starting with 9), and approving a new account, the number to sign is the new account number.

It's never hard to fool users that don't care, but there should at least be ways to make caring about security as easy as possible.

Smartcards doesn't come with a button for approving signatures. You're still quite vulnerable to spyware with them, any software running with your credentials on the machine can access the smartcard and make signatures.

Besides, the point about standardization is missed since few machines have the physical hardware interface-slots in them, so I can't bring my identity with me. A standardized USB interface could work with only software driver updates to any existing machine.

Sorry, I missed the obvious need for a pincode/passphrase-type entry in the really sensitive extended version. Preferably physical, although perhaps entered on the machine can be good enough for most purposes. (If the same person installs spyware and has physical access to your key, you probably have other trust problems as well.) Of course it doesn't protect from high-tech million-dollar scanning equipment that can read keys from the chip anyways, but well, a person with that kind of money have other ways to get to you.

For the low-sensitivity applications, the chance of physically loosing the key easily beats 1) same password at all sites (one site with weak protection and you're screwed) or 2) all passwords stored locally for remembering (spyware targeting credentials and you're screwed).

Of course, the public key cryptography that this requires is also still unclear with respect to quantum computing. There are weaknesses, but it easily beats passwords.

I've long longed for a USB hardware device containing a small crypto-processor, a public/private keypair, and a button. Given a standardized interface (as standardized as USB block-devices) it would make a perfect key-solution to keep in my physical keychain to identify myself in all kinds of circumstances.

  * Need to sign a bitcoin-transaction? Let the software queue a request and press the button.
  * Need to identify yourself on the web? Again, let the site send a challenge, the browser forward it to the key, and press the button. (Possibly already possible through SSL?)

As an extension, the key could hold two keys of different "level". A common key, not requiring the button to identify me to less-sensitive services, and a button-locked key for more important purposes.

For online banking, extend the key with a small display to show exactly what you're signing, and you get rid of all the manual transactions.

Is there at least something less-standardized for this?