I really love the idea of Convergence on the face of it, but I had one serious question:

Convergence seems to solve the problem of a government (Iran) placing fake certs in front of their users and decrypting their GMail and FB SSL connections, and what have you. But what if the fake cert is placed much closer to the target website which is being spoofed?

If you have a bottleneck in front of the target website you want to spoof, can't the attacker take advantage of that and put a fake cert /there/ since, if there are no other paths, all of the notaries would see the same cert, and pass it as "good". For instance, if you take the case of a large multi-hundred-million dollar website hosted in the middle of the ocean, with one pipe feeding that island, if the attacker places their fake cert and proxy at that link, then every notary in the US would agree to pass the false cert. Similarly, if, say, a major backbone carrier had a secret room, through which passed all their data, and in which sat the FBI, they could place a proxy and fake cert there, and all notaries would see that cert and pass it as real.

That could be mitigated by having at least one notary running DNSSEC, but then you can't have a consensus, you have to have all notaries agree, and require the DNSSEC one to agree. This would work, but in that case, just use DNSSEC (Which I do /not/ like the idea of on its face).

I had looked at those 3rd party docs a bit, but they're super expensive, like triple what a dock for a Lenovo T500 would be. And to me a lot of the point is to save the ports from breaking by unplugging/replugging a few times a day, especially the mini-DVI port, we've had a few users that have gone through them, and I think mine is starting to be a problem. I'm not sure my company would go for it, but I can hope.

The "support not scaling" came from a friend who worked at a large, mostly Mac, multi-location company that we've all heard of and use. His problem was that if one of their laptops died, he'd have to call customer service, who'd tell him to take it to an Apple store, he'd say "no, here's what's going to happen, you're going to send me an empty box with a shipping label on it, I'm going to send the machine back to you, then later, you'll send it back fixed". They'd do it, but it was a hassle. Again this was a few years ago, and I seem to recall that they were working on Corporate Support as an initiative at some point recently. Maybe they fixed it. We usually deal with resellers, so if something breaks, send it back to the reseller and have them deal with it. Still, it's nothing like HP enterprise support, log into site, generate ticket, problem gets fixed (at least for server products, I have no experience with HP in the desktop/laptop space).

Huh, I organically seem to have come to the same conclusion. I lean back about 30deg or so which means I'm staring about dead center into my monitors, maybe a bit lower. It means my upper arms are not straight up and down, and I don't have a 90deg bend at the elbow, but my arms and wrists are straight all the way to the keyboard. Also, I've found that armrests on my chairs (Aerons for home and work) do more harm than good and cause elbow pain, so they're lowered out of the way, I don't miss them, and no more elbow pain.

No RSI to speak of yet after 25 years of constant typing.

That's what I said above: "We only automatically block IPs which send mail to our honeypot addresses", and I know for a fact that the only mail sent from said IP was in response to user action, with a user buying something, getting a password reminder, uploading something, etc. I know I'm not full of shit, so why were those specific ranges blocked?

I've wondered if the honeypot addresses weren't super-obvious or guessable.

This is not to say that the company I was with at the time wasn't a huge bunch of borderline-spammers, but in talks with Spamhaus they specifically told me they only (repeatedly) blocked my IPs because they got mail from those IPs. What they blocked was not a network where users lived, it was hosted web-farm only, so it's not like someone's desktop was turned into a spambot either. I really think they just had it in for us.

They are hugely annoying to deal with if you send any volume of mail at all. I worked at a job in which we sent tens of thousands of order status emails per day (were there upsell attempts? Of course there probably were, but the thrust of the mail was "thanks for ordering, have a confirmation number"), and all it takes is a couple of people marking them as spam to get Spamhaus to start blacklisting you, your upstream ISP, your dogwalker's busdriver's cousin's hairdresser, etc.

I know they claim that they only blacklist IPs which send to honeypot email addresses, but I find that claim to be dubious at best, considering the IPs I've had blacklisted in the past.

What makes anyone think the Obama administration is any less authoritarian than any previous administration? Did I use the word Democrat or Obama once? Nope. Until we set aside "right" and "left" and start acting for what is "right" rather than "wrong", we all lose.

The point isn't "Jake's mail should be encrypted". Jake, being a pretty well known crypto advocate and analyst, knows this. The point is that the government has seized his records and communication, with no apparent cause. Likewise, he was one of three Wikileaks affiliated Twitter users who had all access records handed to the government, and DMs as well I believe. He's been detained at nearly every re-entry into the US for the last couple of years.

The point isn't "sucker should use crypto" or "well obey the law then", it's simple harassment of a citizen for acting, not illegally, but in ways the govt. and large private interests don't like. Had he broken a law, they've had their chance to pick him up at any number of border crossings rather than just sit him in a room and stare at him for two hours while planes are missed, etc. This is just the price of being a staunch activist for privacy and strong ubiquitous crypto today.

Each pilot sits in a small room with a rack full of gear wheezing away all day? Eech. This is why I don't move my desk into an IDF closet.

I remember hearing an interview on NPR not more than a few weeks ago which raised this exact issue, and in which it was brushed aside as utterly impossible, of course... "We have AIR GAPS, nothing can cross the air gaps!" Or something to that effect. I think they were talking about the video interception at the time. Meanwhile, they could ask Pfc Manning about how much information crosses the vaunted air gaps in military networks.

Rather than adapting every device you touch, maybe you should look at why you need to do this.

In fact, you've decided that the telephone way is "right" and that every computer keyboard is "wrong". Since you only interact with a couple of phones, probably, might it not be easier to change them than it is to change every computer, TI calculator, keypad, etc? Shouldn't be too hard to write an "inverted dialer" app for whatever phone you have.

I fly on a numeric keypad, I can also dial my phone fast. The reason for that is that these are two devices that do two different things. I don't seem to have any spatial memory issues since you interact with them in different contexts.

tldr; YIKES!

That'd be a neat trick. I'd love to have the contacts, email and texting apps again. The overall UX of the Pre was really pretty slick though too. Maybe the rumors are true about HTC considering just buying it outright. If they do, I'm positive you'll see "hack WebOS onto an existing Evo 4G" start popping up pretty soon after they launch a phone with WebOS.

The main thing that bugs me really is the busted ass HTC clock/alarm clock app. Since it syncs time based on, my best guess, a keyword search on the city name of the network egress point it sees you coming from, they seem to tend to end up in the wrong timezones every now and then. That's pretty convenient. Oh, and when using an AirRave it thinks I'm in Red Hook, NY. I'm guessing it /means/ Red Hook, NJ, which is still nowhere near where I live.

Aside from that, adding hackers keyboard, K9 Mail and TextSecure seems to add most of what I need. The UI fluff that Palm did really well is missed, but not essential. Plus, on the palm I couldn't easily set up an SSH tunnel and then VNC over it to firewalled machines. I just stumbled across that and it's a huge point in the HTC column. However, certificate management was hugely easier on the Pre.

Have you ever used a WebOS phone? It really is what I wish Android was. The UI is very polished. The Cards paradigm is the best way to switch tasks and I was looking forward to the Pre3 for further improvements. When it became apparent the Pre3 wasn't going to Sprint, I got an HTC Evo 4G (Two actually), and while it's definitely usable, Android is nowhere near the user experience of WebOS. Palm's mail app and contacts app hands down beat anything I've used on Android or iPhones.

It's a good OS, and Palm put a lot of resources toward UX. It struck a great balance between the dumbed-downedness of the iPhone and the power of Android. I wish they hadn't shot themselves in the face with their underpowered devices, annoying their development community and the too-ethereal-for-you creepy TV ads.

Thanks, the articles and threads available over the weekend were kind of skimpy on detail.

The point of stenography is to write very fast in abbreviated form, using a set of glyphs that enable you to write very quickly in terrible chicken scratch that no one other than a trained secretary can read and which drives mortals straight past drink to heroin, also called shorthand. Stenograhpy also refers to typing quickly on a special keyboard, in order to capture as much spoken dialog as possible in-line. Often seen in courtrooms.

The point of steganography is to obscure data within other innocuous data. This is where you hide your secret missile codes in photos of cats you post on Flickr.

I've been unable to reproduce this with AD authenticated Lion 10.7.1. The stories I've read referenced OpenLDAP and LDAP in general, but I haven't seen AD mentioned yet. Has anyone gotten this to work with AD?