The way some bank do it, is that the authification asker (a 2F-protected service provider) sends a signed/encrypted message, that the security token decodes/verifies/displays. That message can't be tampered with (cryptography).

So the token will display the message (something like "Authentication required to access GMail.com").
so if an attacker tries to intercept your credential by opening an actual google page in the background, you'll notice that what the thing pretends to be on screen and what the dongle register as an asker aren't the same.

The way to fool the user would be to try to look actually like the page you're trying to spoof. So an attacker needs to look like GMail, so the user thinks he's on Gmail, whereas actually it's a malware page maskarading as it and relying security tokens from the real Gmail.

Now the way that banks counter-act that, is that any critical action (payment, etc.) needs to be confirmed again by the security token system. So the theoretic man-in-the-middle can't inject payment for 10'000$ for his Cayman Islands account. Because every payment needs to be confirmed again. And the bank will issue confirmation message regarding transaction.
You'll notice if when paying a phone bill, the confirmation message instead is 10'000$ for Cayman Islands.

Overall, it works as if the security token is its very own separate device, designed to work over non-reliable non-trusty channel.

(The device doesn't implement a full TCP/IP stack. Most example device accepts only:
- a string of caracters as an input (i.e.: you need to type the last five digit of the account you need to send funds too. The bank will notice when you type the digit of your utility company, but the man-in-the-middle has tried to inject a cayman island account from your browser).
- a 2D flashing barcode to automate string input.
- for the most crazy solution: writing a string to file on a flash-disk, this flashdisk is shared with the security token's microcontroller.
Each time, the attack surface is very small. Only a short string of data is passed. You can't get much exploitable bugs.

For the output, only a string again:
- that you read and type from the token's screen.
- that the token can type on your behalf, communicating with a HID chip on the same device.
- the token can send it to a flash device that makes it visible inside a file.
Again, the security token it self is limited to send just a string. Very small attack surface. All the funny "stuff" are implemented outside, and thus very low risk of remote exploitability)

Again, there's a reason why Glide wrapper tend to target OpenGL 1/2 instead of 3/4.

Glide is fixed pipe.
Glide and the other APIs back then (DirectX 7, OpenGL 1/2, etc.) where about just painting plain triangles. Paint triangle with tips at vertex v1,v2,v3 using texture T1, optionally a second texture T2 as lightmap (and for the few architecture that did have it: using a third texture T3 as a bump map).
That's it.
For any pixel on the screen, the only thing the hardware is capable of is geting 2 or 3 textures (interpolating them and mipmaping them), and combine these 3 texture in a hardware specific and fixed way.

Modern APIs (OpenGL 3/4, DirectX 9, and 10/11, Mantle) are all about programmable shader. For any pixel on the screen, you run a small program (a kernel in mathematics) which can do pretty much anything you want. You can ask the hardware to draw pretty much anything you want. You could even ask the hardware to draw a mandelbrot set (I've done that).
Your modern API relies on a back-end that export the functionality of these general-purpose highly parallel processor that are GPU (Gallium3D is exactly such a back-end. DirectX 11, Mantle, and OpenGL Next are API that promise to stay as close as possible to this low level) (and OpenCL is a way to make this available for other kind of general purpose computing). On top of it, it has a high level API that still works in a highly customisable way: you write shaders that will combine several texture in the way the artist would need (including effects like occlusion mapping, translucent and sub-surface scattering, etc.) and the API converts these mid- high-level shaders and texture accesses, into lower level kernels and memory access to generate whatever is needed on the screen, no matter how complex the maths behind are. (remember: a Mandelbrot set is perfectly doable, even if completely useless).

That's also why DirectX state tracker makes a bit sense: DirectX is supposed to be a little bit less high-level on the abstraction scale than OpenGL. It's better to DirectX-to-Gallium3D (would be like translating C into assembler as a regular compiler), rather than DirectX-to-OpenGL (would be like translating C into Python).

Glide on Gallium3D, would mean rewrite a complete fixed pipeline. Expressing all the classical "texture and lightmap" combination which back then were handled by hardware, and writing modern shaders that re-implements them. Well, guess what? Drawing polygons with a fixed pipe-line is already what OpenGL 1/2 does inside Mesa on Gallium.
Instead of rewriting the same stuff twice and risking to introduce twice as many bugs, simply use a Glide2GL wrapper. Glide and OpenGL are very closely related anyway.

Very unlikely in my opinion:
Voodoo cards (and their Glide API) are fixed pipeline.
Whereas, from the ground up gallium3D was organised around the modern features found in a programmable-shader card.
There's a lot of difference between how these work.

On the other hand, Glide was designed with the simplest subset of OpenGL implementable in hardware in mind. That's why it easy to write miniGL or OpenGL implementations on top of it (and the reverse also: it's not impossible to write Glide-to-OpenGL wrappers).
Meaning that, in theory, it could be possible to build a Glide state tracker out of the building block that Gallium3D back-ends expose to the Mesa OpenGL tracker.

This won't help much for porting. It only works for drivers that work on Gallium3D. Thus, it only works on Radeon and Nouveau (and the alternative Gallium3D powered ILO. The official Intel runs on classic Mesa).
So only a very few end users will be affected. It's not worth counting on Gallium Nine for the port, as you're missing the big part of users who instead run the proprietary and/or official drivers (specially since Nvidia's blob has way much better hardware support that the reverse engineered Nouveau - due to lack of documentation).

On the other hand, Gallium3D give a nice and faster route for Wine, so a few select users can get straigh Direct3D support instead of going through a transaltion layer. So it's a relative benefit for Wine itself.

That has technically been possible before the Gallium Nine driver, anyway. The presence or absence of this driver don't change the feasibility of such ports. It only makes them faster for a few select users by removing translation layers.

Well, depends. I doubt that, when it comes out, it will rely on opensource drivers. At least not for Nvidia hardware: the difference of stability and hardware support isn't worth the effort.

On the other hand, if AMD get their shit together in time, and release the hybrid closed/source driver as promised (i.e.: you run the opensource kernel driver "amdgpu". Then, as an OpenGL implementation, you're free to use either the opensource Mesa Gallium3D driver or the Catalyst driver which will only be a GL+CL library running on top of the exact same opensource base), you might see the possibility of AMD Steamboxes that let the user switch between the two GL implementation on the go. That could mean using opensource GL/CL for the interface and for a few select game that need DirectX, and switching to Catalyst GL/CL for games that need GL 4.x, with Steam maintaining a database of which version runs better for which game and handling the switching without need of user intervention.

Over all, Direct3D is a much simpler and lower level API (at some point of time it was considered to be a back-end to be targeted by openGL drivers) so it would be supported faster than openGL and would give definitely a performance boost.

Also, specially if AMD releases Mantle for Linux (or if it becomes "OpenGL Next"), that might attract the interests of some multi-platform developers: such AMD powered Steamboxes would be closer to the hardware found in other consoles (AMD APU or GPU in all other consoles of this generation) and might help PC ports (at least on AMD it might get optimised a bit thank to re-using the work done on consoles).

Few random exemple where systemd helps:

- if you look at it probably 99% of all service on linux are just about starting an executable, with a few parameters.
-- with systemd, you do exactly that: write a service file that gives the name of the executable to run. and that's it. done. much more easy to maintain
-- with sysvinit, each distro has it's own local variant of boiler code that need to be copy-pasted around, and each service needs a whole script in /etc/init.d.
Whole script with duplicated lines vs simple text file.

- become a daemon requires some work.
-- either the developper must do a whole dance inside the code (double fork, sanitizing environment like closing descriptors, etc.)
-- or you need to take care of it from the outside (startproc, etc.)
systemd (like also daemontools and several other such "successors of sysvinit") can automatically take care of that. just run the soft in immediate mode, systemd takes care of the daemonisation/sanitization. In fact you can easily run as a service things like scripts.
So you want to have a daemon that is basically just a gawk 1 liner ? feel free.

automatic handling of modern kernel features. Cgroups, brokering capabilities, etc. Classical sysvinit has no concept of these (of course, they didn't exist back then).
- You would need either more kludge in you init.d scripts
- or use a modern system that can take care of that. systemd is one of them.

very light-weight container creation: other parts of systemd take care of state-less systems (basically you only need /usr for a system to work, /etc and /var can be automatically rebuilt with default settings from /usr if they are empty), various daemons under the systemd project can take care of the basic initialisation step (you don't need a full fledged dhcp server and client/pair compatible with every possible corner situation and supporting every option under the sun when all you need is just quickly hand out an IP to a LXC container - similarily to how one would use dnsmasq, systemd has its own micro dhcp implementation).
that makes possible to use LXC-style container (and thus much higher level of isolation) for anything that you don't trust and would like to run in its own container.
You don't trust skype, specially since microsoft did take it over? LXC container combined with SELinux and AppArmor (which LXC supports) would be a way to isolate it. Systemd (not the pid1 daemon, the whole project) is a project that can help generating such containers on the fly without any administrative intervention nor any configuration required.

You might not need these. And you're free to stick to old sysvinit if you want. Or at least move to a more modern spiritual successor of this (openrc)
(Gentoo give you choice of system. Or you could gather people and start "Rubuntu, an openRC spin of Ubuntu")

Or you might want these features. And systemd is then a nice single stop for all this plus more. (Though you could find similar daemon giving similar functions spread over 20 different projects).

It's a bit like the situation with TeX (nice single stop to get a ton of filters for text processing and typesetting) Ghostscript (printing) Pnmtools or ImageMagick (single suite of tighly integrated image filters/processing), etc.
Systemd is a similar suite containing all the necessary building blocks for taking care of system initialisation/process starting, etc.

Systemd has tons of useful funtionality, and thus lots of distribution decided to pick that one up as an openrc successor.
(Including distributions not depending on gnome)

Then don't. Stick instead to whatever pleases you. It's not a problem per se.

But accept that lots of other people DO find systemd useful enough to be worth the switching.
Including distros that aren't entire organised around Gnome.

If you don't like this situation, either move to a distro like Gentoo where that is still an option.
Or gather enough people and create your own spin of Fedora/Debian/Ubuntu (whichever is your preferred starting point) but organised around your preferred init system (with blackjack! and hookers!)

The problem is that, instead of doing this, most of the time, you only hear trolls spouting "Systemd is cancer!" and not doing much.

huh... no. It's just reported that it's a useful piece of code which actually solve lots of problems.
it's being adopted in lots of place because of this, even in distro that don't necessarily depend on Gnome.

Nobody is trying to force you to use it. You're free to use something else.
You'll just be missing about tons of features which are really useful and come for free with systemd.

But if you don't want it. Fine. Keep using your kludged together scripts. Or move to something else (openrc, the spiritual successor of sysvinit done in a modern way. Or anything else).

Simply accept the fact that systemd is useful enough that tons of distro are picking it up.

The problem is that, instead of just doing that (use something else), each time something is announced about the systemd project (not even necessarily the systemd daemon running as pid 1) there are tons of trolls comming and screaming "systemd cancer!" and not doing much.
Whereas the correct reaction would be just "meh.." and keep on using whatever they like. And perhaps, if they are unhappy that most of the distro are moving toward systemd, they should start a new spin of Debian/Fedora/Ubuntu based on some other alternative init system.

But no, all you here is only whining and very few actual work (like systembsd or uselessd, or adapting launchd so it can serve as systemd replacement, etc)

There is money to be made by selling proper crypto solutions.

Some citations:
Transmission rates based on infected partner's progression stage
Risk based on type of sexual act

Well, not that low, only half the odds, according to study 2.

Yup. 0.08/0.04 (vaginal) vs 1.4 (annal receptive). About 20x more odds.

Technically, its "women in poorer communities". It happens that in the US black ethnic are often at the bottom of the social scale due to past racial discriminations, etc. but even there they are not alone at the bottom of the scale.

He might happen to also be ethnically black, but given his economical situation and popularity, I doubt that he spends his time banging crack-whores. So the fact that HIV is more prevalent among the poorest section of the population has probably rather little impact.
Also, for what I know, he was only interested in women, which lack the proper biological appendage to being a risk for insertive annal (though not properly clean sex-toys might still be a potential danger).

The main reason he caught AIDS are probably due to a high number of partners combined with lack of proper protection.

In fact Magic Johnson helped bring awareness that HIV isn't exclusively targeting drug-addicts and homosexuals.

To transpose that to malware:
the fact that malware are more often found at warez sites ridden with keygen containing hidden malware, and dubious porn site running ads used by hacker to corrupt your system, DOES NOT MEAN that these are the only way a random internet user might get the computer infected by malware.
on the other hand, proper precaution will ALWAYS be a good solution to protect and diminish the risks. (virus scanner, filters, malware blocker, ad-blocker, VMs, etc.)

That, and decent crypto and other such security means.
(OTR for chat, GPG for e-mail, TOR for traffic, etc.)
(code reviews, the whole openssl/libressl/boringssl story, truecrypt/ciphershed, etc.)

Actually some of it already started happening before the NSA being busted:

for the SWIFT payment processing, the financial information of European users are mirror on two NON-US nodes for very obvious reasons (IRS, etc.)
only US users might have one of the two mirrors of their data on US soil.

Or, alternatively use descent crypto and security procedure.

i.e: don't count on the US and everybody else behaving correctly (As if there were any chance that Russia and China would stop spying) (or US for that matter. They'll simply spin another secret tree-letter agency that they can denying knowing it exists).
instead count of the fact that there will always be fuckers somewhere on the net, and keep best practices to avoid becoming yet again a victim whoever might it be.

Things like end-to-end encryption (total encryption between the two users communicating like OTR, CryptoCat, Jitzi, etc., not only on each leg to/from the server like HTTPS), making GPG more userfriendly, making Tor more popular, etc.

then dragnet or not, user will be safer on the average, even from non-law abiding 3rd parties. (Not only safe from NSA, but safe from script kiddies too).

Depends on the country. In Germany, being aggressive *IS* fine-able.
In Switzerland it could be considered impolite.
In southern France, that's the normal behaviour.

Maybe because it's enforced here in Europe ?
To get a driver's license, one need not only to pass practical driving exams, but also to pass a theoretical exams about the laws. You are required to register to a few theory courses for it. (All paying, that's why some people consider that driver's licenses are trying to scam as much money out of people as possible).
While it's not as difficult as a real school's exam, that still involves at least grasping the basics of the law.
There *are* people failing it. In some countries: fail 3 times in a row, and the local department of transport will politely offer you to put you in contact with professional psychologists if you like (repeated failure might be stress-management related. But might be also an opportunity to catch learning disabilities in a few people, instead of having them repeat the exam 20x until they eventually pass it by random chance and then allow such people on the street).

In comparison, when I was visiting the states, I was baffled at how stupidly trivial it is to get a drivers license.
Which of course makes sense in a country that is so much over reliant on cars. When even "go get groceries at the block's corner's store" means a 15 minutes drive, because the "block" consist of a several mile long succession of 2-store houses, then NOT having a drivers license is basically being completely unable to function in society. Add to the fact that driver's licenses function as photo ID and thus basically anyone is required to have one, so you can't easily fail people. (Unlike here in European countries which all have proper ID Cards. Due to a VERY HIGH level of standardisation, a driver's license is acceptable and can be used as a substitute for ID Card when in a rush. But still, european countries have a photo ID card that is issued to everybody, without needing to pass an exam or to pass a bank's credit card financial history check).

But yeah, basically:
- in europe, to be allowed to drive, you need to positively prove that you aren't going to pose a significant danger to the other drivers.
- in US, to be allowed to drive, you need to approximately qualify as 'human being' (more or less). (Corporal Nobby Nobbs would probably qualify too).

yet, north European (Germans) find that the French drive badly.
(and the opposite is true in the Balkan, probably US-ians will find driving there too much dangerous for them).

You still get the choice between:

- keeping GNOME and SystemD.
- throwing away GNOME + SystemD, and switching to KDE, or LXDE, or XFCE, or Unity, or Enlightment, or MATE (or even a mix of Cinamon that relies on gnomelibs that are systemd-free).

(Though probably given that - no matter how much you refuse to believe - systemd *IS* actually useful and *DOES* help solving real-world needs, probably KDE is going to start using it some time in the future, too.
On the other hand, KDE being KDE and being much about choice, KDE will probably go the "phonon" route: they'll probably make a new module in kdelibs called "libkde-systemk" which is a very simple API and high level abstraction of the few features they need, and which can use systemd as a back-end, but could also use systembsd, other backend or even whatever could produce the same functionality under Mac OS X [Launchd] and Windows [huh...?] )

GNOME is *NOT* a absolute requirement for Linux.
And several distros *DID* switch away from it (but not on the grounds of systemd. Mostly because they didn't like the direction Gnome 3 was heading):
- Gnome2 got forked into MATE and had quite some success.
- Ubuntu created their own Unity.
- Mint started their Cinnamon fork of Gnom3
- Some distro switched to XFCE to have a "Gnomish look" but less resource requirement than Gnome 2/3
etc.

Now in fact if you look at it closely:
- Yes, Fedora *IS* a GNOME-based distribution, and they also use SystemD, but...

- openSUSE has been systemd-powered for the past 4 releases (~3 years ago, ~1.5 year after the systemd launch) . Yet, opensuse *IS NOT* a GNOME-based distro. KDE has always been the default, although suse has always made the effort to support both KDE and Gnome as first-class DE making effort to customise and integrate them both.
- ubuntu did switch from Gnome to Unity... but they are switching from Upstart to systemd. ...etc...

Apparently, systemd might be useful enough that even distros that DO NOT depend on Gnome3, STILL decide to pick it up.
The only remaining practical questions are:
- how much until it becomes stable and mature enough (opensuse is showing signs that this is soon)
- how long will it stay before "let's change everything" madness strikes again.