Well okay, but someone could build a *much* better version of that. And mirror it out to other sites. How do you know you can trust the certificate of grc.com?

But as a proof of concept for what all secure site operators and their Certificate Authorities should already be doing, yeah.

Yes, there is a simple solution.

Google should post, in a permanent, obvious location, a list of the SSL Certificates they are using along with the certificate fingerprints.

This list should be mirrored by other parties and the issuing CA to prevent the problem where someone with a forged cert can post their own list. They could also mirror the list in DNS TXT records.

This should be standard for every well-known site that uses SSL, and it should be a service provided automatically by every Certificate Authority.

I'm sick to death on non-transparent CAs. Publish the certs you sign. Publish your revocation lists. Stop assuming that no one understands what you do or that you don't have a responsibility beyond lining your own pockets.

I was in my early 20s when Myst came out. The visual design turned me off, it looked like someone's coked-out New Age fantasy come to life. Like a wine bar on steroids, all brass rail and ferns and bubbling water. No thanks.

Now, "The Neverhood", on the other hand... that was like being dropped into the middle of a Gumby adventure. That game rocked.
http://en.wikipedia.org/wiki/The_Neverhood

I know, off-topic since not an open world game. But it was puzzle-solving and on CD-ROM, so...

Layman's answer:
It's trolling when the party seeking to enforce their patent rights has no intention of selling an actual working implementation on the open market.

If the purpose of your company is to make money by licensing an idea, rather than selling a product or service that incorporates that idea, then you're a troll. The system shouldn't allow you to feed on other companies and individuals that are using that idea in their own products or services.

Nobody cares if an inventor sells a patent to a manufacturer or a service provider who will actually use it, that's how the system is supposed to work. But holding companies and the builders of defensive portfolios should have no place at the table.

Also, just because business has been conducted a certain way up till now, doesn't mean that's the best way to conduct business. Thomas Edison wasn't a saint, he ruthlessly exploited the inspiration and perspiration of everyone who worked for him and went to great lengths to crush his competitors. WE CAN DO BETTER, is the point.

Newsflash: If you run servers in Amazon's cloud, you have to trust Amazon.

There's no flaw in AWS that enables this hack by untrusted parties. You have to have access to the AWS account in order to clone a volume, just like you'd have to have physical access to a physical server to clone a volume.

The only interesting point here is that an Amazon employee could do this without you knowing it. But come on, how obvious is that? Their sysadmins could do a lot more than just clone your hard drive and change the password, you know.

Thanks for updating chntwp, though.

Or the code comes from a known-good set of files on your local drive, and only the encrypted data is transferred to and from the cloud.

HTML + CSS + JavaScript files == open source. As long as you load them using a file:// URL you can know what exactly you're getting.

This is preferable to an extension which is a) compiled and b) could access every page my browser visits.

A real fix to this problem would let me download the js and html and whatnot once, as a signed archive, and use your application from a file:// url on my computer.

In other words, the only thing that would come from a server from session to session is the encrypted data file. No application code. No HTML. Just the data.

It's a lot more like a traditional application, except that it runs in the browser and the source code is right there for me to look at.

It takes a lot of light--A LOT of light--to grow big, healthy plants.

LEDs are great for growing seedlings, and also lettuces and strawberries and other "low" crops. But when it comes to corn or tomatoes or other things that get tall, you need 4x-6x the lights in order to cover the mature plant. It's a big investment.

Cmd-Shift-Delete on a Mac.

Nice shortcut, thanks!

Yep. Bingo.

Safest solution is to write your own "browser" in PHP or something and keep the request headers limited to just GET and Host:, and don't download any linked stylesheets, scripts, images, favicons, objects, or embeds. Have fun with that!

It *would* be nice if there was a paranoid mode in Firefox or Chrome that prevented cross-domain resources from being loaded. But that would break a bunch of sites, too, where some yokels bought the argument that speed is everything and spread their frontends over a bunch of different subdomains and third-party CDNs.

1) Let's say you had a rootkit-like patch for a popular model of carrier-grade fiber optic switch. Now let's say that you control one or more key employees of an engineering company that installs carrier-grade networking equipment in various parts of the world. Gives it to universities for free. Operates popular chains of internet cafes.

2) Let's say you deploy large numbers of compromised TOR routers in all of your embassies and consulates. Or as a botnet.

3) Let's say you have a team of skilled malware writers that work on creating network sniffing botnets. Let's say the malware is also able to install a sniffer on several popular models of wi-fi access point, with known (and unknown) firmware issues, backdoors, or simply default passwords.

4) Let's say you have massive arrays of wi-fi and cellular antennas installed in all of your embassies and consulates, and 60 years of experience isolating and processing signals from distant enemy transmitters.

Those are four possible scenarios. I'm sure if you think about it you can come up with others.

We all know that the Internet is inherently insecure, and that software is exploitable. Given enough storage to capture everything in real time so they can apply map-reduce to it, the NSA (and presumably other spy agencies) have their work cut out for them.

+1 - unlike most states, California could actually pull secession off. Big population, lots of industry, geographically diverse and geographically isolated. Great trade connections. Plus most of the rest of the US wishes they'd fall off the edge of the continent already.

Good luck getting much water out of the Colorado river post secession, but that's been drying up anyway.

If California were to secede, I would move back in a heartbeat.

Some followup, via http://blog.foreignpolicy.com/posts/2013/07/09/can_the_us_create_a_national_park_on_the_moon:

The 1962 Declaration of Legal Principles Governing the Activities of States in the Exploration and Use of Outer Space prevents states from asserting claims over parts of outer space, including the Moon.
http://www.oosa.unvienna.org/oosa/SpaceLaw/gares/html/gares_18_1962.html

However, according to 18 USC 7, spacecraft in flight (that is, that haven't returned to Earth) are US Territories.
http://www.law.cornell.edu/uscode/text/18/7

So Congress could theoretically declare that the spacecraft we abandoned on the Moon are a National Park, but they have no jurisdiction over the areas around them that were explored by astronauts.

This isn't about who owns the Moon, because obviously no one does.

The more interesting question is, does the USA own the sites where our astronauts landed? And it seems to me that, absent any other legal precedent, we do. Or we would at least have a better claim to those sites than anyone else not currently inhabiting them.

I'm a little surprised that Congress, in 1969, didn't declare the Moon (or parts of the Moon) to be official U.S. territory, annexed by whatever means we used to annex a bunch of islands in the Pacific, and a big slice of Antarctica. Perhaps there is a residency requirement, but there are at least a few island territories that have no permanent inhabitants.

Anyway, I don't mean to troll -- we came in peace for all mankind, etc. But obviously there are analogous cases on Earth that could be used to define a protocol and legal framework for claiming non-contiguous, unoccupied land as a territory belonging to a nation-state. And if we didn't do it right during the Apollo missions, then that sounds like a damn fine reasons to haul our asses back there and stake a proper claim.

Quickest way around that: send out a few emails as the company CEO, and set the Reply-to address to a random colleague.

Loads of fun, and all you need is a command line on a server somewhere.

Don't blame me if you lose your job, blame RFC 822...