The only reason for CHAP to exist is so that you can avoid sending the password in plaintext over an unencrypted channel. Proper encryption fixes that problem without introducing the greater problem of requiring plaintext password storage.
To be fair, many systems involving end users do store passwords in plain text because a frequent tech support issue is forgotten passwords. I have never built such a system because I've always disclosed up front that this is a bad idea, and we create alternative solutions that don't involve giving out passwords (just resetting them).
PHP being dangerous for novices doesn't make it a poor tool, it makes it a poor tool for novices. C is a useful tool too, and in many cases can be the best tool for the job, but in the hands of a novice it can be dangerous.
The problem isn't PHP specifically (because just about any web-oriented programming language can have similar problems) it's that there are lots of people interested in making dynamic web sites who don't understand the risks. Building and deploying dynamic web sites means subjecting them to possible attack from billions of other people. This is a far different (and bigger) challenge than simply deploying a desktop application, but we still have scads of "tutorials" that treat security as an afterthought.
Web programming is not, nor should it be, something anyone can "whip up" without understanding what they're doing. Think of it this way: "Hey Bob, while you're in that level 4 biohazard lab, why don't you check out this nifty tool I made. I'm pretty sure it won't damage your suit. What? No, I don't have any experience making bio lab tools. Or working in one. Does that matter?"
If Apple is developing an anti-consumer backlash, they have only themselves to blame. Poor customer service, poor developer relations. Obviously some of their competitors will be happy for them to get a bad rap, but you reap what you sow. Apple makes a great product, for as long as it works and you like what it does. When it breaks, or you want to get it to do something outside of Apple's plan for the product, that's where the pain starts.
And other than Hussein being a jerk, it was working--there's no evidence Iraq actually HAD any WMDs. The US just fabricated that story so they could go to war and depose Hussein. All while claiming to be "the good guys".
Depositing money in such a way as to avoid the $10K limit is called "structuring" and it's also illegal, IIRC.
The government does investigate large deposits, but primarily this is so that the IRS can make sure they get paid. I've had them send me a nastygram because I made a nice large deposit and they thought I didn't report it on my taxes; I had to respond and tell them exactly how they missed it. Not really very cool, but remember the primary reason is about money. Too many people deposit $10K or more perfectly legitimately for them to get their panties in a wad over every case.
GoDaddy turbo certs are $20 and only require the email address on the domain validates.
If you don't know you're talking to the correct endpoint, you have no idea if you're the victim of a man-in-the-middle attack. That's why certificates exist.
That said, a self-signed cert is definitely better than no encryption at all, because it changes the attack mode from passive (just read the conversation as it passes by on the wire) to active (intercept all communication between Alice and Bob and pretend to be Bob when talking to Alice and pretend to be Alice when talking to Bob). However the latter will be scripted up soon enough if self-signed certs became the norm for web sites.
This is exactly the same problem as distributing server keys for SSH. The first time you connect to an SSH server, you're presented with a fingerprint of the server's key, which you're supposed to verify through other means (e.g. call the sysadmin). If it doesn't match, you're a MITM attack victim and you don't log in. After that, your SSH client typically remembers the server's key and warns you if it ever changes.
This is exactly what SSL sites should do, except that research like this shows users don't understand the warning messages, so how would they know how to use that method any better than the current one?
That's actually a completely fair question. I had read that but couldn't recall where, so I searched for it and couldn't immediately find it. I did find this study which claims the opposite:
http://www.edge-online.com/news/study-claims-pc-market-largest (Link to a summary since the full original report is expensive)
So I don't have facts and figures at hand to substantiate my assertion. However, there are some interesting issues with the report. It claims that nearly 200m gaming-class PCs were sold from Q3 2005 to Q3 2008, while nearly 75m PS3/Xbox360/Wii consoles sold in that same time frame. I'm not sure that a gaming-class PC is always purchased for gaming, however; most new PCs could be considered "gaming-class" even if there's no intention of purchasing them for games. Consoles on the other hand are almost always intended as games machines.
The number of hardware units sold only determines the largest potential market for game software, but the number that actually matters is the number of software units sold. If the "potential" market for PC games is 2x the console market but console versions of a game outsell the PC versions by 5x (that number is in line with what I remember reading) then any business trying to survive would be foolish to focus on the PC.
I really hate console gaming. I don't like controllers, I prefer keyboard and mouse, and I prefer the depth to games developed specifically for the PC. But there are many, many more people who would love to play games from time to time and don't want to do it on a tiny screen; consoles make that possible, and spares people from the technical hassle of dealing with Windows and drivers and patches, etc.
You are assuming that the current crop of game publishers gives a rat's ass about the PC market. They don't. They see the entire PC market as a den of thieves just waiting to copy their precious IP, and it's a tiny fraction of the size of the console market. Higher risk, vastly smaller return on investment, it's a no-brainer for them in a business sense: skip it. This is why they can justify trying to boil the frog by upping the DRM ante all the time--they don't really care that much if they lose the market.
The good news is, if the big publishers abandon the PC market, it will leave a demand vacuum and smaller companies will emerge to fill the gap by offering products people want.
Not to mess up a good rant, but you do understand that when you hand off a key to a certificate authority for signing, you only give them the public portion of the key? The same portion everyone who communicates would need in order to encrypt anything?
The CA signs your public key. It's basically a third party that confirms to Alice that Bob uses a particular public key. And if you know the public key is correct, only the owner of the private portion of the key can use it for encryption.
The kind of attack that would be required, if the CIA actually had control of the CAs, would be to present a phony public key for Bob, signed by the CA. And that only works if they can control the dissemination of the certificate itself. Control of the CA doesn't allow them to snoop on all conversations with the keys presented to them.
This is not to say that PGP is a bad idea, just that certs do not work like you suggest they do.
"When it comes to humility, I'm the greatest." -- Bullwinkle Moose
