Forgot your password?
typodupeerror

Comment: Re:sub-CA hell (Score 1) 39

by cratermoon (#42344647) Attached to: An Interactive Graph of the Certificate Authority Ecosystem

No, I'm fully aware we don't trust the CAs with our personal data. We're trusting the CAs to vouch for the organizations to whom they issue certificates. But now there are hordes of CAs, some of whom may not be particularly trustworthy, but the browser makers don't descriminate (much).

As a result, we have CAs that we're supposed to trust because our browsers accept them, but those CAs are passing out SSL certs like candy to anyone with a few bucks.

While we're not directly giving our personal data to the CAs, we're trusting the organizations they vouch for on the basis of the supposed trustworthiness of the CAs, when in fact most of them are utterly opaque and unknown to us, thus indirectly trusting them to protect our personal data.

Again I say, anyone on the internet should look at the diagram, look at the list of signing authorities their browsers trust, and ask themselves, "who the hell are all these people and why do I trust them?"

Comment: Re:sub-CA hell (Score 1) 39

by cratermoon (#42298093) Attached to: An Interactive Graph of the Certificate Authority Ecosystem

OH I definitely agree that the system is broken. Just looking at the site should make anyone on the internet ask themselves, "who the hell all these CAs are and do we really trust them with our most personal data"?

Yes, I think that encrypting your traffic securely is the right thing to do, and using public-private key pairs with cryptographically strong algorithms is the right way to do it, the trust model was broken the first day that money started to change hands as a surrogate for "trust"

Comment: Re:This is ridiculous (Score 1) 217

by cratermoon (#41950303) Attached to: Blizzard Sued Over Battle.net Authentication

completely unnecessary if you use a good password.

That's a dangerously incorrect assertion to make. People's battle.net accounts don't get compromised because a malicious party cracked a password. Keyloggers, phishing, social engineering, and just plain fraud are all far more common avenues for password leakage, both in battle.net and overall.

The days when a hacker could bang on the front door of a service trying username/password combinations until finding one that worked are long gone. The reason Blizzard introduced authenticators was because their own experience indicated that no matter how tightly locked the servers, or how strong the password requirements, with the client software and hardware out of their control, passwords were still getting out. So they went with the next best convenient security practice: something you know, and something you have.

Space

The Most Detailed Images of Uranus' Atmosphere Ever 105

Posted by Unknown Lamer
from the home-of-the-frost-giants dept.
New submitter monkeyhybrid writes "The Planetary Society's Emily Lakdawalla reports on the most detailed images of Uranus ever taken. The infrared sensitivity of the ground based Keck II telescope's NIRC2 instrument enabled astronomers to see below the high level methane based atmosphere that has hampered previous observations, and with unprecedented clarity. If you ever thought Uranus was a dull blue looking sphere then look again; you could easily mistake these images for being of Jupiter!"
Programming

System Admins Should Know How To Code 298

Posted by Unknown Lamer
from the helps-to-have-a-beard-too dept.
snydeq writes "You don't need to be a programmer, but you'll solve harder problems faster if you can write your own code, writes Paul Venezia. 'The fact is, while we may know several programming languages to varying degrees, most IT ninjas aren't developers, per se. I've put in weeks and months of work on various large coding projects, but that's certainly not how I spend most of my time. Frankly, I don't think I could just write code day in and day out, but when I need to develop a tool to deal with a random problem, I dive right in. ... It's not a vocation, and it's not a clear focus of the job, but it's a substantial weapon when tackling many problems. I'm fairly certain that if all I did was write Perl, I'd go insane.'"

Comment: Re:A lot of apps use SSL (Score 1) 141

by cratermoon (#41722519) Attached to: Poor SSL Implementations Leave Many Android Apps Vulnerable
Good answer. To be fair to the parent post, the certificate authorities *do* have some work to do in cleaning their own houses. Stolen or compromised certificates do exist, and while we can revoke the ones we know about, there's the ones we don't know about, and there's the clients that don't handle revocation properly. It's not clear that the CA houses are doing their jobs well enough.

Comment: Re:A lot of apps use SSL (Score 1) 141

by cratermoon (#41722489) Attached to: Poor SSL Implementations Leave Many Android Apps Vulnerable
Next time say, "I'm sorry, I'm a professional software developer, and I have to follow certain principles, same as a doctor or lawyer must follow their respective professional codes. Please contact me when your server side is properly configured and I will be able to complete the work."

Comment: Re:A lot of apps use SSL (Score 1) 141

by cratermoon (#41722443) Attached to: Poor SSL Implementations Leave Many Android Apps Vulnerable

That's not wrong, but it still doesn't explain to me why I, as a user, should trust both application A and site B that have agreed to trust each other with a self-signed certificate. The reason was have the CA model is to introduce a trusted third-party* that can verify for us that everything is on the up-and-up. The user should not be in the position of having to trust unknown parties.

*Yes I know the CA companies have problems. Maybe the model is so broken by nature that it doesn't matter, but it's still true that the self-signed model bypasses it.

"I'm not a god, I was misquoted." -- Lister, Red Dwarf

Working...