The GPS time-UTC offset is transmitted as part of the GPS almanac and virtually all receivers should interpret it as soon as it is received. From a cold start with an old receiver, this can take up to 12.5 minutes but most modern GPS receivers can get this in a few tens of seconds to minutes.

In addition to a few handheld navigation-type GPS receivers and one for a car, I have six individual GPS timing-grade receivers (2x Motorola Oncore UT+, 2x Trimble Resolution T, 1x Garmin GPS 18x LVC, and 1x Trimble Thunderbolt) on or around my desk.

Naturally, this isn't something a typical person has, but tinkering with such things is one of my several diverse hobbies. Several ham operators I know have a Thunderbolt or other GPS-disciplined oscillator to provide a stable frequency reference for their radios.

A few friends have GPS-based emergency rescue beacons (they often hike or climb in remote areas where phone service is not available), while others have beacons so they can find their large amateur rockets.

True, Selective Availability is disabled or otherwise not available on the new satellites, but the government still retains the ability to deny GPS on a regional basis.

See :

That said, civilian GPS receivers are often quite a bit better, more handy, and more advanced than military ones and a lot of soldiers use them in combat areas. Sure, the military ones are more rugged and get the encrypted military-only channel with better accuracy, but sub-meter accuracy is only really needed for smart bombs and the like. It's less useful for driving a Humvee down the street somewhere or finding out how to get back to base. Handheld civil GPS receivers are typically accurate down to the 3-5 meter range, which is only slightly worse than the military ones.

Denying civil GPS signals in certain regions would almost certainly make things worse for US soldiers, so it's extremely unlikely that the military would ever do regional denial of civil GPS except in the most extreme situations. Even then it'd have limited effect because GLONASS (Russian), Compass (Chinese), and Galileo (EU) are or will soon be perfectly viable alternatives that bad guys could use for guidance.

Seconded. I routinely use RS232 for communicating with various devices. It's simple, reliable, and easy to work with. USB-to-serial adapters are ok, but I prefer native ports, particularly for things with timing-sensitive requirements.

Private keys for S/MIME certs ("client certs", more generally) are generated automatically in the browser, a CSR is generated and sent automatically to the CA for verification/signing. No command-line utilities are needed at all and the private key doesn't leave the browser. Quick, easy, and secure.

If you go through the process to get an S/MIME cert at StartSSL or other CAs, everything is handled seamlessly in the browser without the CA generating (or knowing) the private key.

Of course, StartSSL offers the function to generate the private key for *server* certs for you (which is stupid but convenient) by default but one can readily submit a CSR for signing in the normal way.

Agreed.

Although not the cheapest (a .com with NameCheap and whois protection costs $13.57/year. With Gandi it's $15.50), I find that you get what you pay for: for an extra ~$2/year or so you get clueful staff who respond promptly and competently to issues, built-in whois protection (lots of registrars charge extra for that) that ensures that you're still the legal owner of the domain (your name is listed as the registrant, but all the contact information can be masked with Gandi's information by the whois protection), the ability to add DS records for DNSSEC (neither NameCheap nor Hover allow this), a good API if you want to do things programmatically, and a great UI. You get a free SSL cert when you register/transfer in a domain, and SSL certs can be purchased from them (they chain up to Comodo) for a reasonable price.

They support a variety of organizations, including the EFF and Debian, that do good works on-line and off-.

Also, they're located in France. This offers some protection from various US shenanigans when it comes to seizing domains (assuming the TLD is not US-based), if that's something you're worried about. It's not perfect, of course, but it's something to keep in mind.

They offer decent, anycasted DNS service. Their nodes are located in Paris, Luxembourg, and Baltimore, so they have reasonable resolution speeds in Europe and North America. Nothing fancy, but it works well. You can, of course, use any other DNS host you want (e.g. one run by your web host, a third party service like easyDNS, etc.).

They also offer three types of hosting: basic web hosting, "Simple Hosting", and VPSs. The VPSs are pretty bog-standard, so you won't see any surprises, but I find DigitalOcean to be a better value for VPSs. The "Simple Hosting" is interesting to me, as it's a sort of crossover between shared hosting and a VPS: you choose what type of instance you want (PHP, Node.js, Python, or Ruby), what database type you want (MySQL, PgSQL, or MongoDB) and how much resources you need and you get a dedicated instance of that type. Instances are managed by a hypervisor so other users on the same hardware are logically separated and don't interfere with your service. Additionally, they put a Varnish cache server upstream of your instance so it's extremely fast.

Alternatively, I recommend NearlyFreeSpeech.net for excellent hosting.

In short: Gandi is a fine registrar and I strongly recommend them.

I've been using a CODE Keyboard for several months now. I really like it.

It's a mechanical keyboard using Cherry MX Clear switches, so it has a good tactile response without being super clicky. Certain settings can be changed using a DIP switch on the bottom. The keyboard uses a standard, detachable micro USB cable: cables have always been a weak spot on my keyboards, so it's nice to know I can replace it if needed.

The keys are mounted on a steel plate (not as heavy as the Model M, though) so they keyboard feels very solid.

You can absolutely delete files in Amazon Glacier if the access key you're using has that permission enabled. I imagine there's a surprising number of people who use their AWS root account credentials to access Glacier even though this is strongly discouraged. Even if one creates a new IAM user with access only to Glacier (so a bad guy who compromised your computer can't spin up EC2 instances), the default is for all permissions to be enabled.

Of course, you can disable the permissions to delete files: I've done that, and it works well, but it's not the default. I have a separate IAM user with list-and-delete privileges, but that is a separate user in FastGlacier and requires a password to use -- that keeps me from inadvertently fat-fingering the delete key.

Sure. Just end the address with a dot, which identifies the name in the URL as being absolute.

For example, http://ai./ is a site in Anguilla that uses the TLD as its own name. However, if you leave out the dot it doesn't work -- this is a bit of a pain and most TLDs won't let anyone use the TLD itself as a name.

To be fair, Snowden and Greenwald met in person and verified their key fingerprints. While useful in many situations, the WoT was not really a factor there.

Email certs != SSL server certs. Are you sure you aren't thinking about CAcert instead, which does offer free email and server certs, but which isn't included in browsers? Obviously, CAcert's lack of inclusion in browsers makes it less useful for mose uses. Comodo, however, is a major certificate authority.

Various surveys, including this one (daily updates available here), scan HTTPS-enabled and report on the share of CAs.

Comodo recently overtook Symantec, which was probably helped by CloudFlare enabling TLS for all their customers (including free ones) using Comodo-issued certs -- that single action essentially doubled the number of HTTPS sites on the internet.

Who buys certs direct from Comodo? I always get them via a reseller like NameCheap. The NameCheap user interface is halfway decent: no need to deal with Comodo online management, popups, etc. I've never gotten any "special offers" or unwanted mail as a result of buying their certs. Your mileage may vary, of course.

But yeah, they're cheap, widely trusted by browsers, and generally work well. They're also the only CA I know that issues ECDSA certs from an all-ECDSA root/intermediate chain at a reasonable price (same price as RSA certs, typically less than $10/year), which is nice if you're interested in moving away from RSA for whatever reason.

AWS strongly discourages the uses of root API keys, as they give bad guys who find them the "keys to the kingdom". Why should the credentials for one's S3 account also work for creating EC2 instances?

Amazon provides extensive control over access credentials through IAM, so one can create (for example) an S3-specific user with limited privileges and generate API keys for that user. If they get compromised, the bad guy has limited access: they might be able to add new files to S3, which is bad, but it's less bad than them spinning up hundreds of servers for nefarious purposes, deleting all your files, etc.

Judicious user of IAM can also reduce user errors: I use Amazon Glacier for backing up certain critical files (e.g. wedding photos, baby photos, copies of wills, passports, etc.). I created an "upload, view, and restore/download" user for Glacier that explicitly does not have the "delete" permission enabled. I have a second IAM user with "view and delete" permissions. API keys for both users are stored in FastGlacier, with the "delete" user credentials stored encrypted so I need to enter a password to switch to that user. The user without delete permissions is the default user and the credentials are not stored with a password. This way I can do the standard backup/restore functions needed while working with backups but significantly reduce the possibility of my accidentally deleting backed-up files if I fat-finger the wrong key.

Huh. I didn't know that, as I only have ever done the individual verification. It's not uncommon for someone to wear many hats (i.e., to be affiliated with several organizations). It'd certainly be nice if their system allowed for a single individual account to switch between different "identities", so that one could issue certs for themselves or any number of organizations with which they're affiliated and which they've validated with StartSSL.

Have you suggested such an improvement to them?

Technically, yes, but policy-wise, no: Class 1 certs are not intended for commercial use.

It's hard to directly compare the two offerings, as StartSSL charges for validation but you can issue numerous certificates at no additional cost. Other CAs charge on a per-cert basis.

As you suspected, the $9 offering from PositiveSSL is for a single, non-wildcard, non-SAN certificate. NameCheap also sells Comodo PositiveSSL multi-domain certs for $30/year for up to 100 domains, which is quite a reasonable price. Of course, those certs are domain-validated only. Organization-validated multi-domain certs start at $90/year. That's cheaper than StartSSL, but only gets you a single cert with multiple SANs. If you needed more than one, StartSSL is the more economical choice. Wildcard certs are also available, with Comodo wildcards costing $94/year.

Switzerland. The trains are great but the beer's bloody expensive.