> and not as late as it did on April 1

That must have been the most expensive April Fool's joke EVER.

-f

> Most Linux distributions use OpenSSL for TLS.
> Even if a program links to GnuTLS, it may not use GnuTLS for certificate validation,
> and if it doesn't, then it's not affected by this bug (one example is Google Chrome)

Agree. I've ran through everything that linked to gnutls on my distro (Arch) and although there's
quite a lot of binaries that do, most of those do not offer TLS connections (or any network connectivity at all), so my
guess (without knowing GNuTLS at all) is that they use some other feature offered by the library.

Of those that I know actually capable of SSL/TLS connections, all (also) link to OpenSSL.

So without making a definitive statement, AFAICT this should have near zero impact on GNU/Linux.

deny demime = xlsx:docx:pptx
    log_message = Message contains OOXML Attachment.
    message = We Do Not Accept OOXML (docx,xlsx,pptx) Attachments See http://noooxml.wikidot.com/

deny demime = dat
    log_message = Proprietary Attachment format
    message = Non-Standard Attachment Practice (winmail.dat). Please Fix Your Email System.

> So what are you proposing instead?
I'm proposing to stop outsourcing most PKI to central authorities, making the "trust" a conscious user decision.
Now before you argue that I can remove all authorities from my browser and add exceptions as I go, this is not a solution as what I will find
is single-signed by some company I have no way of checking. If what I found was multi-signed there would be a reasonable chance of determining
a level of trust via my web of trust. e.g. I would have something to go on while making that decision.

> I think the whole point of HTTPS Everywhere is that using it is better than not using it.
Sure, but HTTPS (SSL, TLS..) is not what I have issues with. What I have issues with is using certificates single-signed by central authorities and preloading these into client software.

> As security increases, convenience decreases.
I cannot argue with that :-) I just think it's necessary.

> this means that Firefox on Android with HTTPS Everywhere is now by far the most secure browser
> against dragnet surveillance attacks like those performed by the NSA, GCHQ, and other intelligence agencies.

While I certainly think it is a good idea to encrypt traffic, this statement is highly misleading or naive: Since the CA
system is *flawd by design* and every one of those "authorities" in the long list of built-in CA inside
your browser can, by negligence or choice, supply any of these and other agencies with a valid certificate for
*any hostname in the world*, initiatives like these protect your privacy only from your local sysadmin/ISP, and also
do nothing against traffic analysis.

Should a US person/company trust that "China Internet Network Information Center" isn't going to create a cert for a
US bank or company to perform a MITM attach with? Should a Chinese company trust "Wells Fargo" not to?
Should the Greeks trust "TÜRKTRUST Bilgi letiim ve Biliim Güvenlii Hizmetleri A.. (c) Aralk 2007", or the
Turks "Hellenic Academic and Research Institutions Cert. Authority"? What on earth makes you think ALL of these
companies can resists pressures to misbehave? Yet all of them are built-in to your browser and "you" trust them.

Just go to any (Cloudflare, Akamai..)-accelerated site using https and check out the certificate used to see how that works:
They are issued certificates for the customer domains they accelerate, and hence have access to all the traffic.
In essence, they do exactly what a man-in-the-middle attack would do, except on a much grander scale (and with the collusion
of the actual domain holders). The agencies can carry out such attacks from within the ISP's, and your browser would still show "green".

The Cert validation in the browsers leads to a *dangerous false sense of security* at most. This is crypto, a weakest-link business
if ever there was one, folks. It's not ALL, or SOME that need to fail in order for PKI to fail, it's ANY of them.

Surely, we can do better than that: We should get rid of all centralised security illusions. Why aren't we signing contents using our PGP
keys that at least make multiple signers possible and habitual, and, and this is the essential difference, IMHO: That *you* have made a
conscious decision to trust or mistrust, to a certain degree, by reviewing a web of trust, as in informed consent as opposed to blind paternalism
of massivly built-in, pretrusted certificates by distant companies you really have no clue about.

WKR,
-f

.. and NG adblockers (or browsers, full stop?) allow the contents according to the user's Web Of Trust ..
Chances are.. any ads that *do* get through.. will be very appropriate and welcome ..

-f

I've been playing around with various IR LED types, such as this one, at a couple wavelengths, and I found that in darkness and twilight, you need only very few to become a huge blob of ghostly light, but in good lighting conditions, a good camera like an Axis P3367 and even some of the crappy webcams I tried will see them as merely little points of red light. So I'll integrate a bunch in my backpack's straps and on it's surface, to at least get that commute, including subways etc.. covered, but with little hope of completeness.

So the real challenge may be: can we build a device that automates lens detection, focuses a small laser on the lens in question, and keeps it there while both the lens and the wearer of the countermeasure laser move along. +1 for a switch that will briefly increase laser power to burning strength. As in using a 2W Laser diode at low power. Capability :-)

My small fleet of predator drones can't wait to get their jamming signals over,
and clamps around some of those flimsy, commercial dronettes unequipped with proper
countermeasures for years to come.

I've freed some well-lit shelf space to display the various remains: Controlled descent with
a predator attached may lead to rough landings if they somehow manage keep their own motors on.

Any payload will be a nice bonus.

Still considering in-air killing techniques.. ideas welcome.

They're both right: The network guy about trays being a great solution, and the office designer about trays being butt-ugly.
However, why not work some type of panelling below, rising to the sides of the trays? I'm not a designer by far, but is seems to me that
hiding the trays cannot be exceptionally difficult, and can be done with much freedom of style. And all of that should be open from the top,
and far enough from the ceiling to keep easy access.

Next, the cables coming down. The covering should accomodate cabledrops without these having to "spill over", and in a way that keeps them very accessible. simple holes? Also, the cables themselves could be surrounded by some spiral or other form, lending them style and possibly even some strength. The spiral could even be strung between the casing and the desk, making it an active element of design, rather than a trick to 'hide the ugly cable'.

the panelings could be cut/painted in a themes shape/color, of be kept elegantly simple, depending on the design of the surrounding office.

-f

second that.

Thie program comes with a brainwashing guarantee.
I mean: Google, Facebook and JPMorgan!

War is Peace!
Privacy is a crime!
Sell your friends!
Debt is your own fault!
Shut Up And Shop!

http://shop.geeksphone.com/en/phones/8-peak.html

        CPU Qualcomm Snapdragon S4 8225 1.2Ghz x2.
        UMTS 850/1900/2100 (3G HSPA).
        GSM 850/900/1800/1900 (2G EDGE).
        Screen 4.3" qHD IPS Multitouch.
        Camera 8 MP (back) + 2 MP (front).
        4 GB (ROM) and 1 GB (RAM).
        MicroSD, Wifi N, Bluetooth 2.1 EDR, Radio FM, Light & Prox. Sensor, G-Sensor, Compass, GPS, MicroUSB, Flash (camera).
        Battery 1800 mAh.

As opposed to Java's "write once, debug everywhere", you mean :-)

I understand where you're coming from with that comment, however.
When I tell folks I'm back to C/C++, the comments I get are mostly

"how will you get the horrible memory management right"
"you will get into trouble with POINTERS" (the last word pronounced like "ZOMBIES" in a 1970's B-movie)
"you'll get STACK OVERFLOW and you'll be hacked!"

This is mostly because all you young folks have stopped looking at C/C++ in school, and in the state they were at that point.
Today, and for at least a decade, memory management is clean and easy to use, in C++, pointers have always been a matter of
understanding how they work, to use them right, and compilers have come a very long way in warning us, and by now, not getting
your boundaries right has about the connotation of not being literate, amongst developers. In other words, it's a matter of being a proficient
developer, and that goes for Java as well.

Time has passed, the language, the standard libraries, and the developers have grown up. I'm just sad that many of us (including myself) have been
side-tracked onto someone's corporate agenda, and that we're only waking up now.

In that sense, I'm glad that Oracle bought Sun Microsystems. Sun's "Unix Veterans" Aura my have prevented many from seeing Java for what it was. Oracle, certainly awakens no such emotions :-)

What makes me so very sad about the Java/J2EE situation, is that so many folks have wasted so much time and energy,
and often written excellent code, to make Java/J2EE the platform that has the most comprehensive and the most advanced
set of libraries available, while remaining, in my opinion, a misguided, marketing-driven, anachronistic attempt at domination,
and a crippled language (forced GC, no delete operator).

All that wasted energy could have gone into a serious programming language and environments supporting it. If you look
at what C++ has become, I feel Java is a joke, and J2EE Application Containers are a foolish attempt at replicating the functions of an OS.
Java failed on the desktop, and is now Legacy in Enterprise environments, on the server-side. There's no future for it since young folks have moved on to more advanced languages, and old folks have stuck with C/C++ and will return to it (I know I am).

And Multiplatform? Gimme a Break! How many viable platforms do you think we have remaining, server-side? I think there's more than one (There's BSD and there's GNU/Linux, and there may one day be HURD), but guess what.. They're all "Not Unix" and therefore, easy to code for as if they were all Unix :-)

While I'm certainly one of those people that find it "mind-numbing" that someone would want to use tiny screens, tiny fiddly on-tiny-screen change-mode-every-3-keycaresses (can't make myself call *that* key-"stroke"s), wasting an entire hand holding the device, barely-past-modem-era-connections, modem-era-connection-reliability, etc.. in the first place, when large-screen laptops with decent keyboards and 100Mbit/s to the home and office are readily available, it can also be said that the only thing to be gained, in my view, the "mobile" aspect, reminds us of the *other* meaning of mind-numbing: It will numb your mind to be "online" and "reachable" all the time, because your mind *requires* being "offline" for its normal functioning.

https://neurowiki2012.wikispaces.com/Default+Mode+Network

Now.. driverless cars may be a solution.. give you time to daydream so your DMN can function properly, unless you spend the time "being online".. But I'm not charmed by any of the other "moonshots", either. For Glass, it's a matter of being able to take it off, and not becoming a Gargoyle. And Loon.. Are "rural areas" then to be Google's "persplex boxes" as in

http://www.piers.org/piersonline/vol1/2k5hz_p638.pdf

to see if rural folk's albumin will leak out of their brains, as it did in the rats (sarcasm, but not quite crazy)?

-f