It is dangerous to have partially redundant mechanisms. If you have only explicit redundancy, then errors will show up.

This tool automates an administrative task. But only one.

Dangerous because automatic key updates should require a great deal of verification of the new keys. I could imagine some scenarios (e.g. cloned virtual machines), which lead to the authenticated key being correctly updated (e.g old instructions/documentation) by the admin, but the EC key not overwritten (since it's not in the standard procedure). If this EC key then is copied automatically to the client, any of the cloned machines would accepted as a verified server after the login.

Overkill because exposing the public keys in terms of the sftp protocol would be less invasive and give the client full control what to do whith the keys.

Seems reasonable to me.

Facebook: If you click here, for playing farmville and getting up-to date advertisements around the world and hearing which of your friends prepares pizza right now, you give us all your data. We will sell it or not, as we see fit, ask you about it or not, as we see fit, change the rules at any time, as we see fit, and if you dont disagree immeduatly, we will make an effort to protect our interest by just giving you enough privacy not to run away.

NSA: To stop terrorists killing you all, we need to log all data of you which we can get.

Yes, if you give me the choice if the ratio of loss of privacy to gained comfort/security is better for Facebook or the NSA, i choose the NSA.

Yes. I think if I do SW development, a price difference of 3 man-hours of less does not justify the trouble...

I would imagine that it get most troublesome only if you use the card for computing and rely on a homogenous memory access....

but fight pedophile criminals.

That being said, i doubt that i wnat to put justice in this respect in anonymous hands.

IMHO the biggest advantage of pascal was that data structures were well denfined and that strings were not nul terminated.

Two year ago: Openvpn was fine, but webpages of providers were blocked (not a bad strategy...).

Last year: private Openvpn server worked, but connections dropped after ~1Gbyte was transferred, and well known providers were blocked

This year: openvpn was detected (not sure how!) and private server seems to have ended on some "gray" list, ssh connectionsafter that were very slow (although that could coincide with slow internet); sshing to singapore AWS cloud was fine, but i had the feeling that switching between ports for ssh helped after big data transfers or long conenctions. Connecting by mobile (state telecom) was better than by WLAN.

Blocking seems to happen solely based on target (outside China) IP.

The rationale behind blocking vpns but not ssh is simple: China is not interested in blocking perfectly. They don't care about (or even may like) that you can set up cloud servers which you need for your thing outside China. They dont care about 1% of the population and all foreigners getting unfiltered access to the outside world. As long as they can filter the information for the vast majority. Which implies that the material they mostly care about is video, which means that intentionally slowing ssh still enable you to do your admin work, but you can not copy 1000 youtube videos quickly. Also, for ssh there is no "1-click-vpn" client available......

The relevant question is: could you trust the devices firmware in the first place? The las tfew year put a solid upper bound to my trust in this respect?

i did not say that this is a new idea.

The way out would be that i would have to license and register private keys for encryption. This is dificult to enforce since there is no way to judge if you use unregistered private keys without entering your home and looking at your harddrive.

The result would be that criminals would continue to use it, and that normal people would be criminalized.

on 4 weather ballon, you can place ~ 8 km of nylon fishing line.

So you can randomly traverse a 100x100x100m volume 80 times.

Not unlikely that you crash the papparazis expensive drone with this approach.

The average tone on the kernel mailing list is not an incentive to participate to an unbiased observer.

If you care about results, dont drive people away. And yes that applies for the whole OS community. Whenever I consider to take part in an OS project, because i find it interesting, i look at the development process/communication and find the tone, way of discussion, and egocentric behaviour inacceptable.

Do you really think i contribute to a project which barely builds in exactly your environment with hundred of obscure dependencies, and when i try to fix it, getting barfed at over the inacceptable choice of standard tool X (yeah, i know, build processes which work out of the box on all linux distributions are *evil*), which seems to be directly from hell?

Do you really think i participate in a discusssion where three dickheads call my approach "SHIT" because they dont like it, without a proper argument, and often referring to episodes which happened 20 years ago as justification?

Do you really think i invest time into projects where the goals are defined by the means, and not vice versa (see the systemd debate)?

I really think i have better things to do with my life.

Wrong confessions are a big problem for courts.

so solving the comple problem will be reduced to the not less complex problem of weedign out the spam created by idiots?