When you think about it most of the "mainstream" media is based on trolling. More subtle than "Your mom .... last night ... with ... and ... and ... " yet just the same they deliberately and persistently push the audiences buttons and willfully mislead to attract attention and ever larger audiences.

The online media is much more aggressive in this regard routinely offering structures granting massive audiences to random people visiting their site.. This is a bit like keeping a stack of 100's in an unlocked car in a Wallmart parking lot overnight and being surprised when it turns up missing the next day.

If trolling is an epidemic it only got that way because Trolls have been well fed in environments where the objective function is maximizing advertising profits to the detriment of decency and integrity.

While I can't bring myself to defend threats of injury or death as free speech... this is a worlds away from Malicious Communications Act's "indecent or grossly offensive or information which is false and known or believed to be false by the sender" insanity.

I find it breathtaking TFA would focus almost entirely on rape threats while largely remaining silent on the really insane aspects of this law.

Where is that sensational article titled "Telling a fib will get you two years in jail?" ...

Proving a negative is a foolish enterprise.

http://en.wikipedia.org/wiki/M...

Speaking only from personal experience
there seems to be a disconnect between what people actually derive value from and rules + perhaps original intent of Wikipedia.

We seem to be stuck in a situation where lack of enforcement itself is supporting quite a bit of value and interest in the site... A situation ripe for leverage by personal whims and selfish persuasion.

I don't think there are any easy answers yet the rampant deletions are particularly annoying and unhelpful to me as a user of Wikipedia.

The forbidden example above looks to be the easiest and most readable of all the variants you have provided...

SQL context aware eval() routines with safe default marshaling assumptions are relatively trivial to write.

Much better to give people what they want rather than forcing them to use parameterized semantics where not ideal. If web platforms did this from the beginning CVE databases would be much lighter than they have become.

Who cares what it says?

The problem is non standards complaint behavior of web browsers willfully subverting downgrade attack prevention features baked into SSL/TLS standards.

This requires both servers and clients to support it and associated propagation throughout the worlds server and client stacks to be at all effective. SCSV is not even an RFC.

Why leave people exposed in this manner? What good is TLS 1.2 deployment and fancy new AHEAD ciphers when any yahoo can come along and force affected browsers to TLS v1... What is the compatibility based reason for continuing this behavior when SSL v3 is being disabled in new browsers anyway? Please name names.

What balance? What are the tradeoffs? Nobody seems to know. What is on the other side of the ledger to serve as a counterweight to allowing downgrade attacks to persist in 2014 and why does everyone need to bear that risk by DEFAULT?

Please don't confuse browser "dancing" behavior with SSL version negotiation. Clients and servers can support both SSL v3 and TLS 1.2 without danger of being suckered into SSL v3.

Desperately looking for names and versions.

Is this IOS? What versions?

Then why are the browser vendors saying they are going to disable SSL v3? If we're going to use SSLv3 as an excuse and that excuse is taken away ... what's left?

Please I'm begging for names... name names and versions... Who is supporting 1.1 AND doing this?

Isn't it easier to fix existing implementations rather than inventing new capability negotiation schemes, writing the code and deploying? Is anyone sure extra flags won't cause new compatibility problems?

If everyone is shutting down SSL 3 anyway as seems to be the case... what then is the remaining intersection of TLS 1+ capable servers and clients still not supporting version negotiation? Please anyone who knows I beg you to name names.

Please name names what browsers?

This does not make any sense. A mitigation that does not work is not worth anything.

What good does that do when a future attack against TLS 1.0 succeeds and 1.2 users again find themselves being pulled down to 1.0?

I'm scared now... tested using old w2k image IE version 6.0.2800.1106 - TLSv1 amazingly works just fine with IE6 using RC4-SHA cipher, forcing AES was no-go.

When compatibility issues are raised always insist people name names too much of this space is ruled by legend passed down throughout the ages and unhealthy doses of hearsay.

Everyone saying "there are servers" or "there are clients" please name names and versions.

There has got to be a better solution for clients in 2014 that does not involve leaving users vulnerable to downgrade attack.

Why can't browser vendors provide users with an option to enable "dancing" and not have it enabled by default?

I love backwards compatibility but the cost to overwhelming majority of people who don't have old vulnerability ridden gear to manage via SSL is way too high in 2014.

Intentionally bypassing downgrade attack protection built into SSL to "cope" with broken servers is 100000% a browser defect. There is no possible excuse for this nonsense in 2014.

Does anyone know what exactly "many clients implement a protocol downgrade dance" means? ... never heard of this ever... who exactly is doing this and what the hell are they thinking?

Screw this TLS_FALLBACK_SCSV bullshit it's 2014 cut the music and send the dancers home.

If your idea of being notified is hearing about it on CNN, ./, other "media" or social propagation your doomed.

Users should not be expected to know what supporting libraries are used by applications. Application vendors need to provide patches and make announcements for service effecting vulnerabilities in supporting libraries distributed with their applications no different than if source of error were their own code.

Operating system/package vendors need to provide patches and make announcements for vulnerabilities in the software and standard libraries they distribute.

There are established update/security notification channels for these things users need to be following... there is no need for anyone to be guessing or make incorrect assumptions and no excuse for depending on shit sources (mass media, blogs, friends) for security notifications.

If anything keeping people "informed" is doing them a disservice.