"So are these man in middle exploits fixed in the latest Ubuntu release ?"

No, they've just changed the name to "koala in the middle" exploits.

Absolutely! There's plenty of stupid to go around.

1. Where was the firewall admin to prevent external systems from connecting to these webservers over port 8080?
2. Why did the admins use insecure tools or insecure systems to allow their credentials to be sniffed?
3. Where was the IDS/IPS to notice the sudden change in traffic?
4. Where was the load balancer/reverse proxy to intecept this junk?
5. Where was the routine review of logs to notice the dynamic DNS updates from computers with (presumably) static DNS entries somewhere?
6. Where was the periodic pen/vulnerability test against these systems?

"but generally speaking you're not expecting attacks from inside your LAN"

Right, because a virus on my local network would never take advantage of that.
Right, because more than 60% of data loss events are triggered by insiders.
Right, because you personally know and trust every user on your LAN.
Right, because nobody would connect an unapproved device, like their iPod, or personal PC, to the LAN.

If you're not expecting most of your attacks from inside your LAN then you're just fooling yourself.

"It is a great failing in our industry that its viewed as a problem that "most don't think about security".

Rather, the problem is that we haven't constructed systems such that people don't have to think about security. The best security systems are so unobtrusive and unnoticable that people should not think about them."

Strictly speaking about IT security systems, I agree, security systems should be much more "automagic" then they are today. But if you're relying on an IT system for security you're already half way to screwed.

People (not users, people) are the start and end for security. It wasn't that long ago that people advised you to engrave your SSN on your valuable, like your bicycle, so you could get it back if lost or stolen. If I want service from my electric company, they ask for my SSN. We think nothing of tossing credit card applications into the trash whole. Heck, we still allow our mail to sit in an unsecured box a the end of the driveway. We people have so many insecure habits to unlearn. (Don't forget to post those pics from the vacation you're currently on at your publicly accessible Facebook account.)

We can't expect an IT solution to save us from ourselves.

"Here's my model of the only possible internet. You pay for services, including downloading all content. That means paying the 10 euro/mo or whatever for rapidshare if you want to download free projects (unless they can get donated bandwidth from a university). Commercial projects can support their own bandwidth needs. If you want quality tech news, subscribe to Ars Technica - they're not going to just work for free."

While I have no doubt an equilibrium will be reached, the assumption that all Internet activity will be fee based seems to forget a number of different factors, the most important of which is the reality that my income is finite. I already make decisions on my Internet habits based on money--for instance I bought a cheap laptop and slapped a free OS on it instead of buying a Macintosh, and I have chosen not to pay for an account on either FARK or Slashdot as of yet.

So yes, in the near term I will not be visiting any Murdoch owned websites based on the fact that I will choose not to pay for them. I will be able to do this for free so long as other outlets with the same news/facts/data are available to me. This may include systems as antique as AM radio, which is the other part that seems to get forgotten on the Internet--it's not the only game in town, even as other forms of media are shrinking.

This kind of thinking is, well, disappointing. Yes, it would be "easier" for you the user to not need such a strong password. That would be one way of looking at it. I think it would be easier, too, if I didn't need to look both ways for pedestrians while backing out of my driveway every day. What are the chances that I'm going to hit a pedestrian? Pretty small, but I need to look for them anyway.

There are just some things that we all have to do, even if they are "hard." So may I suggest that instead of complaining that passwords are too hard to remember, perhaps you could try using a couple of tools.

1. Use something like password safe for all those "useless" passwords. You know, the ones for Yahoo, Google, Slashdot, etc.

2. Teach yourself an easy way to create complex passwords. Use the first letter of each word in a silly phrase like "Snoopy Prefers @nchovies 0n his 8rick Oven pizza." (SP@0h8Op) Or pick some other way of remembering these things.

3. Or, install a backup camera so you don't need to look around for those pedestrians.

Just my 2 cents.

"and publicly announcing this will help these gaps to stay unfiltered?"

It is in Iran's best interest to filter as little as possible. If you're a devout WoW player, they'd rather let you spend time on that, being oblivious and happy, than risk you being pissed off that you can't play. The most important thing for Iran's government to do is to try and make sure that no more people join the protests, and that those who have get discouraged by the hardship and return to their "comfortable" lives. They want people to return to "normal" even if it is just a sham because they can control the people that way. That requires people not paying attention to what the government is really doing, which requires giving people somewhere to "bury" their heads. The Internet is GREAT for that. I never found so many ways to waste my own time until I first opened that Mosaic browser one day...

What Iran's government has been doing with regard to filtering has been disturbingly effective. Yes, the protesters are getting together and communicating with each other, but there's no reliable sources of verifiable news. No reliable death count. No clear picture of what is happening. Citizen journalism is great, but it pales in comparison with what real news-gathering resources can do. So foreign governments are limited in their response, and that response is even more limited in the audience within Iran that can see it.

Don't discount the ability to keep information away from the militia men as well. The Iranian government is more dependent than ever on the blind faith of their security forces. They must be fed the party line, and be made to swallow it. You don't get that kind of obedience when those forces are allowed to think for themselves. So you deny them the ability to gather data to make up their own minds.

So yes, Iran is not blocking all possible methods of communication, but they're effective enough that they still may pull this off.

Information is power, and the information required to make your own decisions is the ultimate expression of that power.

Exactly. As a culture we seem to be almost compulsively obsessed with having everything on the Internet. And let's not forget that the Internet was designed with several assumptions about the basic "good" nature of the people on it (scientists, university students, and the always trustworthy US military) that somehow we figured we should just open up to everyone. So go figure that it is ill-equipped to act as a truly secure system.

Absolutely. That, and the fraud risk. Who is responsible when my cell phone is stolen, cloned, etc. and somebody runs up a huge bill using it to pay for things? If my credit card is stolen, US law limits my responsibility to $50. If there are fraudulent charges, I can contest them with my credit card company and they and the retailer bear the liability to validate the charge. I'm sure that the cellular companies aren't too keen to take on these risks themselves, so they'll either try to find a partner (the credit card companies or banks) or they'll try to pass the liability all the way to the end user.

One thing that will completely prevent me from being interested in this form of payment is the level of risk I am assuming when I use it. Ask me why I don't use a debit card? Because there's a higher risk to my cash flow if somebody drains my checking account than if somebody hits my credit card limit.

Isn't it Ballmer? I thought he just generally took over when the "big guys" stepped down...

This really seems more like a way for them to perform discovery without all that mucking about with the courts. Get the ISP to respond with "Yes, we've identified Mr. Smith of 123 Main Street based on the information you provided..." I'm curious to see their strategy here--do they try to bury the ISP's in this letter to get them to decide to take their own action against file sharing to get the RIAA off their backs?

To be blunt, this new "strategy" has to benefit them somehow. And there's only one benefit I can think of that they'd be after $$$$. So how does sending letters to the ISP's benefit them monetarily?