And now we're back to a familiar analogy: "The door was open, so anything inside should have been mine to take!"

In other markets (including software), activities like that were called "anticompetitive."

Not that I really see a problem with it. Just making an observation that amuses me.

If I understand what you're saying, you're expressing the same ignorance about downloadable material that people downloading warez and mp3s in the 90s had. "It's free, so it's probably legal, right?"

I had one of those. Boiled it down to the smallest possible test case (AFAICT), even.

https://bugs.freedesktop.org/show_bug.cgi?id=35664

Couldn't tell you why it's still marked 'new', though.

I have three or four apps on my Android devices which implement DRM features. Some of them are 'phone home' features. Some of them are 'buy a crypto key to activate this app instance' features. You know what? That's fine. I like these apps enough that I'll pay for them. I also like Android's "broken" model enough that I'll stick with Android; Android's "broken" model let me root my phone, clean the ROM's crap out and integrate the Dalvik cache. I can't hope to explain how much this has improved the phone's performance for me.

Given the choice between something like Android and a feature phone, I'd probably go back to a feature phone. Thankfully, Google opened the barn door, and even if Android stops being produced, alternatives like Cyanogenmod and WebOS will take its place. Given the rate hardware's getting commoditized, we're not that far off from someone like BeagleBoards coming out with devices with CDMA, WiMax and GSM modems.

"Ask Me Anything"

It's a recurring thing on Reddit for celebrities.

I doubt Linus is getting more bitchy than normal. He's just had more 'popular' exposure and attention of and to his rants than normal. It's easy to guess why: Google+ gives him a lot more exposure and spread. Prior to his posting the rant against the root password requirement on Google+, I don't think I'd seen any of his opinions outside of near-fluff interview pieces or, possibly, LKML emails.

Certainly, people didn't care as much until they saw him lambast OpenSuSE developers. That got their attention and interest, and so folks like Slashdot and NetworkWorld are more likely to cover it. Heck, this kind of story is even out of character for /..

Linus only seems more bitchy because people are looking at him more.

I'm still on top of SPAM, but mostly by requiring email confirmation, and by having three or four people who watch the RC feed, block bad users and delete bad content.

I'll have to check out QuestyCaptcha, but I've got a lot of non-English users. Thanks for the tip!

Honestly, the story of managing load spikes and such in a VPS environment is a far, far more interesting story to tell than anti-spam techniques. Believe me, I've walked the entire path.

Sure.

Ah. I thought I still had subscriber credit. I got one of those 'as thanks for...you can now use Slashdot without ads' emails. Only other time I'd seen that kind of behavior was when I was a subscriber.

Beyond captchas? Very probably things like mod_security, firewall rules blocking bad netblocks from accessing the server. (Doing this was the single most-effective anti-spam mechanism I ever saw.) Using DNSRBLs for realtime tracking of bad source IPs.

If you're building a site as part of an operating portfolio with a user base, you can certainly afford an extra IP if you need it. Right now, it doesn't cost very much. If you're merely showcasing a web application, you don't need SSL. If the potential employer is going to ding you for being vulnerable to Firesheep on a site where it doesn't matter, either you're applying for a security-related job, or the guy doing the analysis is a pedantic dick.

I've never argued otherwise. That said, there are ways to cope with things like Firesheep. Such as tying operating profiles to browser fingerprints. (There's a lot more identifying information in each HTTP request than just your User-Agent string.)

Then either educate them, use a different provider, or school them by running a shared web host that does offer both SNI and IPv6, and advertise like crazy on Slashdot and Reddit.

The sad thing about those PCs is that they're not going to be able to keep up with the increasing JS loads on websites. Chrome on my "Intel(R) Pentium(R) CPU B940 @ 2.00GHz" occasionally has difficulty. They'll get replaced.

Pretty much.

Ask the gentoo guys behind bugs.gentoo.org, who use a CA whose cert isn't generally shipped, or anyone who's using a self-signed cert. I'm not here to get into an argument of over the weights, values and concerns of various degrees of encryption and authentication. For some, it's enough that passive sniffing isn't feasible. For some, that isn't enough, and you need to authenticate the server identity.

Don't ask me to make grand sweeping statements of 'X is enough security', because security is a case-by-case thing. Heck, I note that even Slashdot isn't defaulting to SSL.

I use prgmr.com. I wouldn't put a full LAMP server on a $7/mo plan; the low-end plans wouldn't really be up to it. But, again, I could easily imagine paying that just so you can drop a squid proxy server on it listening on port 80. Have your domain point to that. Have squid serve as an accelerator proxy, pointing to your shared hosting provider. Squid can wrap your clients' connections with your SSL cert so they can't be firesheep'd on their local wireless or by their local malicious network. Granted, the connection between squid and your shared hosting provider is unencrypted, but the people on that route are far less likely to care. (so long as your VPS and shared hosting provider are in the same country).

StartCom's free certs are only good for a year. You're far better spending off a dollar or two more per month than spending time every year coping with cert rollover headaches. If you can't afford that (after spending $7-10/yr for a domain), I have to wonder why you aren't using a wiki, forum or blog farm that handles these things centrally, and for free.

There's a Wordpress app. I don't know if a MediaWiki app has cropped up, but I'd been considering writing one as an interface to my own site. I don't know if anyone's written a phpBB 3 app, but I can imagine some real benefits to it. (Imagine having your phone use the normal notification channel to inform you of PMs or replies.)

The market is in a crunch right now, with security concerns and IPv4 address depletion. It's not a pretty situation, and something has to give. Before anything else, that's going to be the IE-on-WinXP market. (IPv6 doesn't even solve the IE-on-WinXP issue, since you need to explicitly enable experimental IPv6 support to get it on WinXP)

According to Google Analytics, my site had 126,947 visits over the last month, and only 5,480 of those were from IE-on-WinXP. That's 4.3% of my traffic. I'd stop giving one whit once that's down to about IE-on-XP once it's down to about 5%, so IE-on-XP is no longer something I need to care about. Heck, I had 22,387 visits from WinXP during the same period, which tells me only one in four WinXP users are still using IE when they visit my site.

IE-on-XP is not a demographic most people need to be reaching for. And, really, if you need TLS, and you need a non-SNI circumstance, and you can't afford another $5/mo (heck, even Linode was only charging $1/IP more, last I checked), then you need to put up a donation link with something like PayPal, and get your users to help support a service you obviously can't afford to provide on your own. That's what carried my site for a couple years.

Nobody has to make anything happen that isn't already either planned (Microsoft will stop supporting it) or physically inevitable.

Hardware will die. Software will get screwed up. Installation media will be missing. It will become cheaper for the 'family tech guy' to get his parents something newer or different as a replacement. There will be die-hards who will want to stick with Windows who will refuse to change. Those die-hards are outside the demographic of the vast majority of website maintainers.

So it went with Amiga, Commodore64, DOS, Win3.1, OS/2, Win95, Win98, IPX, token ring, Linux ipchains, VAX. DEC Alpha. So it goes. So it shall go.

Heh.

Actually, the better argument I've heard is that it OpenSSL is very poorly documented. And I've heard this complaint from numerous people...to the point where some even started looking into fresh implementations.

Comcast is deploying native. AT&T is deploying 6rd. I hear TWC is also deploying native. Also, someone on the east side of Michigan went live with IPv6 a couple months ago and asked some questions in one of the mailing lists I'm on. I can't find the message now, though.

If you think home ISPs haven't been scrambling to catch up on IPv6, you haven't been paying attention! Comcast is rolling it out right now. DSL providers are deploying 6rd. Mobile providers are deploying. Within a year, most end-users (in the US) will have access to IPv6 from their ISP. Within two years, most end-users will have replaced their non-IPv6 CPEs with ones which support IPv6. But IPv6 isn't the only solution to the problem, either.

Right now, most small website operators should avoid TLS if they only have static content. Otherwise, they need to make a decision between supporting XP and shelling out for a dedicated IP. Me, I'd probably drop support for XP, and let the end-user click through a cert warning if that's what they're inclined to do.

How much more per month are we talking about for a dedicated IP, anyway? I know how you'd set up joe random guy with a dedicated IPv4 address using a proxy server on a $5-7/mo VPS. Seems cheap to me, especially compared to what joe already spent to get a valid SSL cert.

As far as Android...a number of websites are pushing their users to use simple apps instead of the Android browser. As a user, this annoys me, as my LG-509 doesn't have much space unless I root it and clean it...but I can see how it offers a better interface to the server, and how it changes authentication and connectivity concerns.