http://www.amazon.com/Book-Lovers-Guide-Internet-Revised/dp/0449002276
Interesting...still available, and 5 Star reviews.

Kids these days. No wireless for us geezers. We to use one of these: http://en.wikipedia.org/wiki/Acoustic_coupler Think it was 110 baud. We used it from my high school, between our three teletypes ( http://en.wikipedia.org/wiki/File:ASR-33_Teletype_terminal_IMG_1658.jpg ), and a local community college for a BASIC programming class that was offered around '73-4. Whenever you saw a kid walking down the hall with punched paper tape wrapped around their fingers (most of us adopted a figure 8 pattern), you knew it was another geek.

Based on what. The simple fact of the matter is that the US is recovering from one of it's worst recessions ever. You can't cherry pick a point in time, and claim victory.

Um, no they can't. Not without having done so previously, and trained for your keyboard.

Unless you remove the battery, is your phone really ever off?

then why can't the USPS open letters, scan them, then reseal and deliver them?

When a person uses USPS, they think they're using a system intended for The People and their communications needs. It's a system created as a public service by an act of .. uh, by the ratification of the Constitution. :-)

When a person uses gmail, they think they're using a commercial system primarily intended to make Google money at the users' expense. And since they don't pay money directly for it, they know the expense is going to involve all the myriad ways a person can be treated as a product rather than as a customer.

No gmail user believes that gmail's primary purpose is to serve the user, or that they have privacy. When gmail appeared, the first thing everyone thought was, "Oh, this weird idea, exists to increase Google's ad revenue."

FWIW, if the USPS had actually been initially established by an advertising company, for the purpose of opening and reading everyone's mail, and if all USPS' users knew that was happening, then it would be ok for them to do that. (Well, sort of ok. I would definitely want the prohibitions against direct competition removed...) Call it "SpyPost" and actually brag about how you read people's snailmails and insert related ads into them, and I really don't think there would be a problem. Just be up-front about it.

It's the whole up-frontness and lack of sneakiness and informed consent that makes it not be wiretapping. Unless... shit. Gmail's been around for a few years now. Might there be new kids who grew up, not realizing what it was or why it started? Could there actually exist some strange subset of population, who thinks gmail is normal email, rather than the bizarre exception to email that all of Slashdot knows it is? If there's a problem here, it's all going to come down to whether or not the signup pages help to make this obvious to laymen.

When will you guys get it through your heads that 'distributed everything' doesn't work. Central authorities are needed to mediate and ensure everyone is on the same page.

Those central authorities are welcome to join in, and become highly valued nodes in the WoT.

Central authorities also come with the risk that they can be compromised, but its far easier to deal with one compromised CA than several billion.

Aha, now I get it... could it really be this simple? Are X.509 advocates merely bad at math? The terms in your risk assessment formula are wrong.

If a signer has a probability p of being accurate/trustworthy, then the chance of its attestation being correct, is p. That's how X.509 certs work and of course you understand that very well. Cool. With PGP, if signer1's probability of being accurate is p1, and signer2's probability of being accurate is p2, then the chances their joint attestation of an identity is accurate, is 1-((1-p1)*(1-p2)). Dude, that's a number which is greater than either p1 or p2.

For example, say you think it's 90% likely that Verisign is telling you the truth about a key belonging to a certain website. They're the one and only signer for some website (because one signature is all this shitty tech can handle), so you think it's about 90% likely you're talking to that site, and 10% likely you're talking to the NSA. If that's your estimate of Verisign's reliability/trustworthiness, then 90% is the best you can do with that tech.

Now let's say we upgrade from that garbage to 1991 technology: the PGP WoT. Suppose Verisign and CNNIC have both signed something, and you think Verisign is 90% reliable and CNNIC is 60% reliable. (Those sneaky Chinese bastards!)

You're 1-( (1-0.9)*(1-0.6) ) = 0.96 , that is, 96% confident that you're talking to the website you wanted to, and 4% worried that you're talking to someone who is involved in a join US-China conspiracy (which, now that you think of it, is less than 4% likely to really occur). You have just wiped the floor with X.509's security performance.

Suppose I signed it too. You don't know me. While it seems absurd at first that I'm less trustworthy than the Chinese government (they're known badguys; I'm merely some internet asshole) at least you know something of their loyalties or lack thereof, and very little of my competence and motivations. It's reasonable to assume I am probably more likely to conspire with your adversaries than they are. Some guy with US government might be holding a gun to my head, right now! So you decide to only trust me 1%. Ok. Guess what? You can work with that!

Now my super-weak signature is on there. You trust the identity 1-( (1-0.9)*(1-0.6)*(1-0.01) ) = 96.04%. My super-weak nearly-completely-untrusted attestation made it stronger.

This is why were totally wrong when you said one compromised CA is easier to deal with than a billion. A billion compromised CAs are easier to deal with than one. Distributed authentication is more fault-tolerant, and we're now in a situation where the mainstream finally "gets it" that the faults really do occur, rather than it simply being a tinfoil hat thing that cypherpunk SciFi authors pretend to worry about. X.509 is based on the idea that Verisign is telling you the truth 100% of the time, and cannot model the idea that you think they sometimes fail. PGP, on the other hand, is based on reality: that grey world where sometimes things work and sometimes they don't, where you sort of trust some people some of the time, etc. You know, that world that you actually live in.

Damnit...I hit the button before writing my entire post. Basically, I'm glad you included the MIPS, because as many of us recall from the PC wars, companies were constantly advertising their clock rates, and the masses were buying it as a valid indication of more powerful machines.

Clock speed != power

Encryption without authentication is useless.

Is plaintext useless? We're having an unauthenticated discussion here on Slashdot right now.

Encryption without authentication is useful. It's at least as useful as plaintext (that's the lower bound, the worst possible case), except that on top of that, it has the advantage of preventing passive risk-free snooping.

That's why unauthenticated encryption should not display any warnings that you wouldn't also display to plaintext users. Any such warnings can only serve to mislead the user into thinking plaintext (where they don't see as many warnings) is safer. And plaintext isn't safer; plaintext is worse.

Nobody's saying don't authenticate. They're saying that failure to authentication still isn't as bad as the default behavior, which for some reason, doesn't show warnings every time someone loads an unencrypted page. If you can explain why plaintext users shouldn't get scary warnings, then your same explanation will work for why unauthenticated encryption shouldn't result in warnings.

Now think it through. If Verisign is owned by the NSA, and a Russian CA is owned by FSB, and a Chinese CA is owned by that government, and all three of these compromised CAs agree on a cert, what does it mean?

It means the cert is probably accurate, or about as accurate as you can possibly get, without going over to the server certing it yourself. If those three parties are conspiring to disrupt your Amazon order, then I'm afraid you're not going to get your package, no matter what crypto you use. :-)

This might sound like a great idea at first, but remember what happened to Howard Beale. I'm warning you, terrorists: you can go on killing people, but DO NOT fuck with primal forces of nature.

Are you really suggesting that?! Do you even know how PKI works?

It sounds like he does indeed know how it works very well. It's actually a great idea, which is why PGP defaults (I think) to requiring about three "moderately trusted" CAs to agree, in order to confirm an identity. Upgrading from our current luddite stuff to gleaming new 1991 tech would be fantastic, and is pretty warranted, when you think about how silly our current situation is. Treating something like Verisign as a fully trusted introducer? ha! They're not that trustworthy, but they're not useless, either. PGP's concept of differing degrees of trust, gets it about right and would be a huge step forward.

Why would a gambler want their opponents to have improved estimates of the odds?

Somebody didn't think very hard before they suggested this idea.

If computers were able to detect copyright infringement, then there wouldn't be any DRM, or if there was DRM, nobody would have a problem with how it worked, and so there wouldn't be enough infringement for anyone to want to block.

If computers were able to detect copyright infringement, then HBO's DMCAbot wouldn't be sending takedown notices to Google for half of the pages on the web that use the word "boardwalk" or "thrones" somewhere in their text.

But computers aren't able to detect copyright infringment, and to date, every single attempt to have them try to do it, has resulted in over-the-top comedic failure that was deployed thirty years before it was ready.

Nobody's computer ever went to law school and learned the difference between infringing and non-infringing uses. Geez, ask experts whether or an H.P. Lovecraft story is still under copyright, and you can get two different answers. And you want computers to accurately identify each work, know its publication history, know whether or not its distribution is authorized, understand the nature of a use asnd its effect on the market, and then have the smarts to put all the facts together and come up with "infringing" vs "non-infringing"?

Tell you what. If I ever get a message from Google about DMCA-blocked search result that isn't absurd bullshit, or if I ever hear about a DRM scheme that doesn't prevent innocent noninfringing uses, then the idea may start to have some credibility. Until then, seriuously asking for Google to identify copyright infringement, is like seriously asking your Honda dealer where the lot with the flying cars is.