I am curious what browser's don't actually support gzip compression?

The new ipod Shuffle. While you can plug any random pair of headphones, you won't be able to control the ipod.

This hack could be done to any usb keyboard.

A firmware flashing utility that refused to flash if the firmware image isn't from the manufactor would be annoying. There are usefull firmwares that are hacked. Dvd firmware that removes regions comes to mind.

While a bios is a firmware. A firmware is not a bios.

This hack also requires physical access, which means there are other ways to compromise the system.

http://blogs.msdn.com/craigmcmurtry/archive/2004/12/14/301155.aspx

16bit installers are detected and replaced with a 32bit installer.

See bottom of document #1

Perhaps having the list here would be more useful then me randomly googling it.

Now if I provided those results I would have something.

What does iron do that the chromium builds don't?

I wish there were more things that couldn't be in any contract.

Have you seen some of the things in a credit card contract.

-Changing the terms of the agreement as long as they notify you. You're only choice is to cancel the card and pay the balance in full. Instead of okay pay us back (on the original terms) but don't make new purchases. (Otherwise the new terms apply to those new purchases)

-Changing the cost of the agreed upon APR if you make a simple human mistake. Instead of just charging you more for new purchases it applies to your old purchases too.

-Putting things in such a legaleze language that it takes being a lawyer to really understand.

These things and more just shouldn't be done but they are, and with alot more then just credit card agreements. Things no sane person would really agree too. But really how enforceable is that crap if we banded together and fought back?

I know many will say that it's not your money. Which is why I put in the provision "any new purchases".

You're not getting it. If ALL the traffic is going through the middle man the middle man can fake everything! Including the cert.

The only way is to get something around the middle man; this may mean giving your public key in person to the other person you want to talk to. Only than can you know that the middle man is there. Since your keys wouldn't match at that point.

The cert is there to make it unreasonably hard to do a man in the middle attack with ssl. It won't do anything with a perfectly executed attack.

Everything I have talked about is possible but extremely unlikely. With the resources used to do such an attack it may be easier to just break down the users door who is using the encryption and torture them for the password.

Don't be fooled into thinking the system is perfect it isn't.

If all the traffic is going through the man in the middle then another cert can be inserted.

It's possible but not probable. The reason being that since packets will go to their destinations taking different paths.

So yes if the client already has the cert. But if it has to traverse a compromised network then the cert can be man in the middled too.

This is assuming a perfect setup for doing this man in the middle.

Don't really need a fake tracker. Just a way of intercepting the traffic.

If I can get the trackers traffic and clients traffic to be redirected to me first then any traffic after that can be altered and appear to be from the two hosts. If I replace the keys with my own then my host will look like the host the two hosts are expecting but using my public key instead.

What you're assuming is the secure connection was brought up in a secure way. If it isn't then you can't really be sure the connection is secure.

It's funny you just proved my point.

The internet is in an insecure network. How does anyone know if they have a secure connection? Sure they can know this once a private/public key pair has been exchanged. But how do we know that the public key given to us is good if there is man in the middle to intercept the keys between the "trusted groups"

I should have been more descriptive. Without physically exchanging the keys with the other parties there isn't a way for an automated system to know; Without testing, but then the middle man can make it so those tests pass. (A smart human could check)

You're assumption of there being a secure path over an unsecure network is what's wrong. If the keys/certificates can be exchanged in a way of knowing that they havn't been (all) intercepted and then altered Then the encryption would work.

But since there is so much information traversing the network all that I just talked about is theoretical and isn't very probable. Encryption is hairy stuff, since you have to cover all points of possible exploitation.

Do you see what I see? Back to my original point we need our isp's to take on true common carrier status.

He was talking about using a man in the middle attack. Both parties think they are talking to eachother.

It doesn't matter if the tracker sends us a SSL key for us if a man in the middle attack can be used. The only way to be sure the key isn't altered is to get that key directly from the source. How you do that is up to you.

There isn't much that is open about "OpenDNS". OpenDNS is a bad solution for a non-issue problem. Please stop advertising for them.

What we should be fighting for is for isp's to be common carriers. Then there really isn't a market for this type of monitoring hardware. Other then for some company firewall.

The game consoles are all doing PPC in some form. The xbox360 ps3 and wii.

Then there is all the network gear that uses arm and ppc

ppc is far from dead.

HFCS is only less expensive because of the sugar tariffs place on the importing of sugar.

The problem is political.

Corn farmers are getting tax incentives to grow corn.

Then creative people need to figure ways to use all this corn.

It's hard to find something in the usa that isn't made with corn. It's not the healthiest thing. Farmers could be growing crops that are much healthier.

It's not C&H's fault that there is a sugar tariff.